US10853491B2 - Security agent - Google Patents

Security agent Download PDF

Info

Publication number
US10853491B2
US10853491B2 US16/007,507 US201816007507A US10853491B2 US 10853491 B2 US10853491 B2 US 10853491B2 US 201816007507 A US201816007507 A US 201816007507A US 10853491 B2 US10853491 B2 US 10853491B2
Authority
US
United States
Prior art keywords
kernel
security agent
level security
execution
processes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US16/007,507
Other versions
US20190138723A1 (en
Inventor
David F. Diehl
Dmitri Alperovitch
Ion-Alexandru Ionescu
George Robert Kurtz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Crowdstrike Inc
Original Assignee
Crowdstrike Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Crowdstrike Inc filed Critical Crowdstrike Inc
Priority to US16/007,507 priority Critical patent/US10853491B2/en
Assigned to CROWDSTRIKE, INC. reassignment CROWDSTRIKE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: IONESCU, Ion-Alexandru, KURTZ, GEORGE ROBERT, DIEHL, DAVID F., ALPEROVITCH, DMITRI
Assigned to SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT reassignment SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CROWDSTRIKE HOLDINGS, INC., CROWDSTRIKE SERVICES, INC., CROWDSTRIKE, INC.
Publication of US20190138723A1 publication Critical patent/US20190138723A1/en
Application granted granted Critical
Publication of US10853491B2 publication Critical patent/US10853491B2/en
Assigned to SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT reassignment SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT PATENT SECURITY AGREEMENT Assignors: CROWDSTRIKE HOLDINGS, INC., CROWDSTRIKE, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • malware malicious software—often called “malware”—that steals or destroys system resources, data, and private information is an increasing problem. Governments and businesses devote significant resources to preventing intrusions by malware. Malware comes in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. Some of the threats posed by malware are of such significance that they are described as cyber terrorism or industrial espionage.
  • FIG. 1 illustrates an example network connecting a computing device configured with a security agent, e.g., a kernel-level security agent, to a security service cloud.
  • a security agent e.g., a kernel-level security agent
  • FIG. 2 illustrates an example architecture of the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 , including a model, components, and managers.
  • the security agent e.g., kernel-level security agent
  • FIG. 3 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for detecting a first action associated with malicious code, refraining from preventative action while gathering data, and, upon detecting subsequent action(s) associated with the malicious code, performing a preventative action.
  • the security agent e.g., kernel-level security agent
  • FIG. 4 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for observing events, determining that the events are associated with malicious code, and deceiving an adversary associated with the malicious code.
  • the security agent e.g., kernel-level security agent
  • FIG. 5 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for observing execution activities, storing data associated with the execution activities in a model that represents chains of execution activities, and taking action based on the chains of execution activities.
  • the security agent e.g., kernel-level security agent
  • a security agent e.g., a kernel-level security agent
  • the kernel-level security agent loads before the operating system of the host computing device.
  • the kernel-level security agent is loaded very early in the boot-time of the host computing device, by some of the first few dozen instructions. By loading early in boot-time, the kernel-level security agent significantly reduces the window in which malware can become active and interfere with operation of the host computing device or run unobserved on the host computing device.
  • the agent can also validate the integrity of its computing operations and data and additionally enhance the level of security provided.
  • the kernel-level security agent may be installed on the host computing device in the form of a driver and may be received from a security service.
  • a security service may be implemented as a cloud of security service devices (referred to herein as a “security service cloud” or a “remote security system”).
  • the security service cloud may receive notifications of observed events from the kernel-level security agent, may perform analysis of data associated with those events, may perform healing of the host computing device, and may generate configuration updates and provide those updates to the kernel-level security agent.
  • malware developers also referred to herein as “adversaries”
  • the term “adversaries” includes not only malware developers but also exploit developers, builders and operaters of an attack infrastructure, those conducting target reconnaissance, those executing the operation, those performing data exfiltration, and/or those maintaining persistence in the network, etc.
  • the “adversaries” can include numerous people that are all part of an “adversary” group.
  • the detection loop is focused on defeating not just the malware update loop but all aspects of this attack—the changing of the malware, the changing of the exploits, attack infrastructure, persistence tools, attack tactics, etc.
  • the detection loop of the kernel-level security agent and security service cloud is enabled by an agent architecture designed in accordance with the principles of the well-known OODA-loop (i.e., observe-orient-detect-act-loop). Rather than using fixed signatures to make quick determinations and responses, the kernel-level security agent observes and analyzes all semantically-interesting events that occur on the host computing device. Kernel-level security agent components known as collectors receive notifications of these semantically-interesting events (e.g., file writes and launching executables) from host operating system hooks or filter drivers, from user-mode event monitors, or from threads monitoring log files or memory locations.
  • OODA-loop i.e., observe-orient-detect-act-loop
  • Events may then be filtered using configurable filters of the kernel-level security agent and routed/dispatched to event consumers of the kernel-level security agent, such as correlators or actor components.
  • a correlator component notes the fact of the occurrence of the filtered events.
  • An actor component may, for example, gather forensic data associated with an event and update a situation model of the kernel-level security agent with the forensic data.
  • the situation model represents chains of execution activities and genealogies of processes, tracking attributes, behaviors, or patterns of processes executing on the host computing device and enabling an event consumer of the kernel-level security agent to determine when an event is interesting.
  • the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code.
  • any or all of the observing, filtering, routing/dispatching, and/or utilizing of event consumers may occur in parallel with respect to multiple events.
  • the kernel-level security agent By looping based on significant events and chains of execution activities of the host computing device rather than on fixed signatures, the kernel-level security agent is able to better detect processes associated with malicious code. While adversaries can easily change malware to avoid signature-based detection, it is significantly more difficult to avoid detection by an agent that monitors and analyzes significant events. Further, by observing events for some time, and not immediately performing preventative action in response to detecting an action associated with malicious code, the kernel-level security agent may fool adversaries into thinking that the malware is working and, when the malware is later halted or deceived, the adversaries may first think to debug their own malware.
  • the kernel-level security agent performs updating while continuously monitoring, eliminating dangerous gaps in security coverage. Responsive to receiving a configuration update from the security service cloud, a configuration manager of the kernel-level security agent may invoke a component manager of the kernel-level security agent to load a new component that updates or replaces an existing component. The existing component continues to participate in threat detection while the new component loads, thus ensuring uninterrupted threat detection.
  • the kernel-level security agent includes an integrity manager that performs threat detection while core components of the kernel-level security agent or the managers themselves are updated or replaced. Thus, once the kernel-level security agent is installed, some components or manager(s) of the kernel-level security agent are continually involved in detecting threats to the host computing device.
  • a kernel-level security agent is described herein.
  • the kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events.
  • the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action.
  • the kernel-level security agent may also deceive an adversary associated with malicious code.
  • the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
  • FIG. 1 illustrates an example network connecting a computing device configured with a security agent, e.g., a kernel-level security agent, to a security service cloud that provides configuration, analysis, and healing to the computing device through the kernel-level security agent.
  • a computing device 102 may interact with a security service cloud 104 over a network 106 .
  • the computing device 102 may implement a kernel-level security agent 114 , which is shown stored in the memory 112 and executable by the processor(s) 108 .
  • the kernel-level security agent 114 may include components 116 to observe events and determine actions to take based on those events, a situational model 118 to track attributes and behaviors of processes of the computing device 102 , managers 120 to update the components 116 and provide continual detection during updates, and a communications module 122 to communicate with the security service cloud 104 .
  • the computing device 102 may include an operating system 124 , processes 126 , and log files 128 .
  • devices of the security service cloud 104 may also include processors 130 , network interfaces 132 , and memory 134 .
  • the memory 134 may store a communications module 136 to communicate with the kernel-level security agent 114 of the computing device 102 , an analysis module 138 to evaluate interesting events identified by the kernel-level security agent 114 , a configuration module 140 to generate and provide configuration updates to the kernel-level security agent 114 , a healing module 142 to halt or deceive malware executing on the computing device 102 , a social module 144 to notify other computing devices or users of the malware detected on the computing device 102 , and an administrative user interface (UI) to enable an administrator associated with the security service cloud 104 to view notifications of observed events and make decisions regarding appropriate responses to those events.
  • UI administrative user interface
  • the computing device 102 and devices of the security service cloud 104 may each be or include a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices.
  • the computing device(s) of the security service cloud 104 represent a plurality of computing devices working in communication, such as a cloud computing network of nodes.
  • the security service cloud 104 may distribute the modules and data 136 - 146 of the security service cloud 104 among the multiple computing devices.
  • one or more of the computing device(s) of the computing device 102 or the security service cloud 104 represents one or more virtual machines implemented on one or more computing devices.
  • the network 106 may be include any one or more networks, such as wired networks, wireless networks, and combinations of wired and wireless networks. Further, the network 106 may include any one or combination of multiple different types of public or private networks (e.g., cable networks, the Internet, wireless networks, etc.). In some instances, the computing device 102 and the security service cloud 104 communicate over the network using a secure protocol (e.g., https) and/or any other protocol or set of protocols, such as the transmission control protocol/Internet protocol (TCP/IP).
  • a secure protocol e.g., https
  • TCP/IP transmission control protocol/Internet protocol
  • the computing device 102 includes processor(s) 108 and network interface(s) 110 .
  • the processor(s) 108 may be or include any sort of processing unit, such as a central processing unit (CPU) or a graphic processing unit (GPU).
  • the network interface(s) 110 allow the computing device 102 to communicate with one or both of the security service cloud 104 and other devices.
  • the network interface(s) 110 may send and receive communications through one or both of the network 106 or other networks.
  • the network interface(s) 110 may also support both wired and wireless connection to various networks.
  • the memory 112 may store an array of modules and data, and may include volatile and/or nonvolatile memory, removable and/or non-removable media, and the like, which may be implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data.
  • Such memory includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, RAID storage systems, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
  • the memory 112 includes a kernel-level security agent 114 .
  • the kernel-level security agent 114 operates as a virtual machine/shadow operating system.
  • the kernel-level security agent 114 loads before the operating system 124 of the computing device 102 .
  • the kernel-level security agent 114 is loaded very early in the boot-time of the computing device 102 , by some of the first few dozen instructions.
  • the kernel-level security agent 114 includes components 116 to observe events and determine appropriate action(s) to take based on those events and on a situational model 118 , as well as the situational model 118 , managers 120 to receive configuration updates from the security service cloud 104 and to perform the updates while continuing to observe events, and a communications module 122 to communicate with the security service cloud.
  • the kernel-level security agent 114 may include a hypervisor or one or more pre-boot components. The pre-boot components may or may not leverage hardware provided security features.
  • the memory 112 includes an operating system 124 of computing device 102 .
  • the operating system 124 may include hooks or filter drivers that allow other processes, such as the kernel-level security agent 114 to receive notifications of the occurrence or non-occurrence of events such as file creates, reads and writes, launching of executables, etc.
  • the memory 112 also includes processes 126 and log files 128 that are monitored by the kernel-level security agent 114 .
  • the devices of the security service cloud 104 include processor(s) 130 and network interface(s) 132 .
  • the processor(s) 130 may be or include any sort of processing units, such as central processing units (CPU) or graphic processing units (GPU).
  • the network interface(s) 132 allow the devices of the security service cloud 104 to communicate with one or both of the computing device 102 and other devices.
  • the network interface(s) 132 may send and receive communications through one or both of the network 106 or other networks.
  • the network interface(s) 132 may also support both wired and wireless connection to various networks.
  • the memory 134 may store an array of modules and data, and may include volatile and/or nonvolatile memory, removable and/or non-removable media, and the like, which may be implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data.
  • Such memory includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, RAID storage systems, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
  • the memory 134 includes a communications module 136 .
  • the communications module may comprise any one or more protocol stacks, such as a TCP/IP stack, device drivers to network interfaces 132 , and any other modules or data that enable the devices of the security service cloud 104 to send and receive data over network 106 .
  • analysis module 138 may receive notifications of interesting events from kernel-level security agents 114 of computing devices, as well as forensic data associated with those interesting events. Upon receiving notification of an interesting event, the analysis module 138 may determine if related notifications have been received from other kernel-level security agents 114 of other computing devices 102 . Also or instead, the analysis module 138 may evaluate the interesting event based on one or more rules or heuristics.
  • the analysis module 138 may determine that an interesting event may be associated with malicious code based on these determinations and evaluations and may, in response, perform any or all of generating an event and providing the event to computing device 102 (e.g., for diagnostic or healing purposes), invoking the configuration module 140 to trigger a configuration update, invoking the healing module 142 to perform healing of computing devices 102 associated with the interesting event or deceiving of an adversary associated with the malicious code, or invoke the social module 144 to notify entities or persons associated with other computing device 102 of the potential malicious code.
  • the analysis module 138 may also maintain and utilize one or more models, such as models specific to individual computing devices 102 , to types of computing devices, to entities, or to a generic device. The analysis module 138 may update these models based on the received notifications and utilize the models in analyzing the interesting events. Additionally, the analysis module 138 may alert an administrator associated with the security service cloud 104 through the administrator UI 146 .
  • the configuration module 140 stored in memory 134 may generate configuration updates and provide those updates through the communications module 136 .
  • the configuration module 140 may generate device-specific configuration updates or configuration updates applicable to multiple devices.
  • Such a configuration manager 140 may also be referred to as an ontology compiler and may be configured to provide security policies specific to hardware, OS, and language constraints of different computing devices 102 .
  • the configuration updates may include both updates responsive to interesting events and updates to the modules and data 116 - 122 comprising the kernel-level security agents 114 .
  • the configuration module 140 may generate and provide configuration updates responsive to a notification from the computing device 102 or independently of any prior notification from the computing device 102 .
  • the healing module 142 may determine appropriate remedies to events determined to be associated with malicious code. For example, the healing module 142 may determine that an appropriate remedy is to halt a process associated with malicious code, to remove one or more executables, files, or registry keys, or to deceive malicious code by having it write to a dummy file rather than an operating system file, having it read falsified data, or falsifying a transmission associated with the malicious code. The healing module 142 may then instruct the kernel-level security agent 114 to perform the determined remedy. In some embodiments, the healing module 142 may provide the instructions via an event generated by the healing module 142 and provided to the kernel-level security agent 114 .
  • the social module 144 may share notifications of events determined to be associated with malicious code with individuals at other entities.
  • the malicious code may not have affected the other entities yet, but they may be interested in learning about the malicious code. For example, if the malicious code affects devices of one defense department contractor, other defense department contractors may desire to know about the malicious code, as they may be more likely to be affected by it.
  • the social module 144 may share notifications of malicious code and other information about the malicious code if both entities—the affected entity and the interested entity—agree to the sharing of the notifications.
  • the administrative UI 146 may enable an administrator of the security service cloud 104 to be alerted to events determined to be associated with malicious code, to examine the data associated with those events, and to instruct the security service cloud 104 regarding an appropriate response.
  • the administrative UI 146 may also enable an examination of the events and associated data by the administrator without first providing an alert.
  • any or all of the computing device 102 or the devices 104 of the security service cloud 104 may have features or functionality in addition to those that FIG. 1 illustrates.
  • any or all of the computing device 102 or the devices 104 of the security service cloud 104 may also include additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape.
  • the additional data storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • some or all of the functionality described as residing within any or all of the computing device 102 or the devices 104 of the security service cloud 104 may reside remotely from that/those device(s), in some implementations.
  • FIG. 2 illustrates an example architecture of the kernel-level security agent, including a model, components, and managers.
  • the security agent architecture 200 of the kernel-level security agent 114 includes modules and data 116 - 122 in a kernel mode 202 of the computing device 102 and components 116 in a user mode 204 of the computing device 102 .
  • the security agent architecture 200 may only include the modules and data 116 - 122 in the kernel mode 202 .
  • the kernel mode 202 and user mode 204 correspond to protection domains—also known as rings—that protect data and functionality of the computing device 102 from faults and malware.
  • a user mode such as user mode 204 , is associated with the outermost ring and the least level of privileges to access memory and functionality.
  • This ring is often referred to as “ring 3” and includes many application processes.
  • a kernel mode such as kernel mode 202 , is associated with an inner ring (sometimes the innermost ring, although in modern computing devices there is sometimes an additional level of privilege, a “ring—1”) and a higher level of privileges to access memory and functionality.
  • This ring is often referred to as “ring 0” and typically includes operating system processes.
  • the security agent architecture 200 includes collectors 206 .
  • collectors 206 are components 116 of the kernel-level security agent 114 that observe events associated with one or more processes, such as kernel mode processes. Events may include both actions performed by processes and non-occurrence of expected actions.
  • a collector 206 may register with a hook or filter driver offered by the operating system 124 to receive notifications of the occurrence or non-occurrence of certain events, such as file creates, reads and writes, and loading executables.
  • a collector 206 may also monitor locations in memory 112 or log files 128 , or spawn a thread to do so, observing events associated with the log files or memory locations.
  • a collector 206 may observe multiple kinds of events, or each type of event may be associated with a different collector 206 .
  • the events observed by the collectors 206 may be specified by a configuration of the kernel-level security agent 114 .
  • the collectors 206 observe all events on the computing device 102 and the configuration specifies configurable filters 214 for filtering and dispatching those events.
  • the configuration specifies which collectors 206 should be loaded to observe specific types of events.
  • the configuration both specifies which collectors 206 should be loaded and configurable filters 214 for filtering and dispatching events observed by those collectors 206 .
  • the security agent architecture 200 may include user mode collectors 208 to observe events that may not be visible to kernel mode processes. Such events could include, for example, rendering of display graphics for display on a display screen of the computing device 102 .
  • the kernel-level security agent 114 is further configured to load user mode collectors 208 as user mode modules of the computing device 102 .
  • user mode collectors 208 may observe multiple kinds of events, or each type of event may be associated with a different user mode collector 208 .
  • the events observed by the user mode collectors 208 may be specified by a configuration of the kernel-level security agent 114 .
  • the user mode collectors 208 observe all user mode events on the computing device 102 and the configuration specifies configurable filters 210 for filtering and dispatching the events.
  • the configuration specifies which user mode collectors 208 should be loaded to observe specific types of events.
  • the configuration both specifies which user mode collectors 208 should be loaded and configurable filters 210 for filtering and dispatching those events.
  • the security agent architecture may further include configurable filters 210 .
  • the configurable filters 210 may be user mode components 116 of the kernel-level security agent 114 that filter user mode events observed by the user mode collectors 208 based on the configuration of the kernel-level security agent 114 .
  • the configurable filters 210 may perform any filtering of the user mode events that does not require querying of the situational mode 118 so as to maximize the filtering of user mode events performed in the user mode 204 . Maximizing the filtering performed in the user mode 204 minimizes the number of observed user mode events that are transferred from user mode 204 to kernel mode 202 and thus conserves resources of the computing device 102 .
  • the filtered user mode events are transmitted between the user mode 204 and the kernel mode 202 by an input/output (I/O) mechanism 212 of the kernel-level security agent 114 .
  • the I/O mechanism 212 may be, for example, a ring buffer or other known mechanism for transmitting data between protection domains.
  • the I/O mechanism 212 is not a component of the kernel-level security agent 114 but, rather, is part of the other modules and data of the computing device 102 .
  • a filtering and dispatch component 214 receives observed events from the collectors 206 and user mode events from the via the I/O mechanism 212 . While FIG. 2 illustrates the filtering and dispatch component 214 as being logically associated with the routing component 216 , the filtering and dispatch component 214 may instead comprise one or more components (e.g., configurable filters 214 ) that are separate from the routing component 216 .
  • the filtering and dispatch component 214 may perform any filtering specified by the configuration of the kernel-level security agent 114 .
  • the configuration may specify filtering of all received events or only of specific types of received events.
  • Such filtering may, in some embodiments, involve querying the situational model 118 to determine attributes, behaviors, patterns, or other descriptions of the process that is associated with the event being filtered.
  • the filtering may also involve application of one or more rules or heuristics of the configuration.
  • the filtering and dispatch component 214 may dispatch the events using the routing component 216 , which may be a throw-forward bus or other type of bus.
  • the routing component 216 may in turn transmit events to any or all of correlators 218 , the situational model 118 , actors 220 , or the communications module 122 .
  • events that are significant in aggregate, but not alone, or events that do not necessitate the kernel-level security agent 114 to copy associated data associated with the events are dispatched via the routing component 216 to the correlators 218 . In some embodiment, these may be synchronous events that do not utilize a scheduler of the kernel-level security agent 114 .
  • events that are significant in isolation or that necessitate the kernel-level security agent 114 to copy associated data associated with the events are dispatched via the routing component 216 to a scheduler of the kernel-level security agent 114 for scheduled delivery to the actors 220 .
  • these events may be asynchronous events.
  • the correlators 218 are components 116 of the kernel-level security agent 114 that note the fact of the occurrence of specific types of events. Each correlator 218 may be specific to a single type of event or may be associated with multiple types of events. A correlator 218 may note the fact of the occurrence of a filtered event and, based at least in part on an association between the occurrence of the filtered event and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, take an action.
  • a correlator 218 may maintain a counter of the numbers of occurrences of an event (e.g., ten writes to file X) and, at some threshold, may generate an event to indicate that the number of occurrences of a type of event is potentially interesting.
  • a threshold may be a set number specified in the configuration of the kernel-level security agent 114 or may be a number determined by querying the situational model 118 to determine the typical pattern of occurrences of the type of event within a time period.
  • the generated event may indicate the type of observed event and the number of occurrences of the observed event.
  • a correlator 218 that has generated an event may transmit the event via the routing component 216 to any or all of the situational model 118 , an actor 220 , or the communications module 122 .
  • a configurable filter 214 of the filter and dispatch component 214 may be used to filter the event generated by the correlator 218 .
  • the situation model 118 of the kernel-level security agent 114 may comprise any one or more databases, files, tables, or other structures that track attributes, behaviors, and/or patterns of objects or processes of the computing device 102 . These attributes, behaviors, and/or patterns may represent execution activities of processes and the situational model 118 may represent chains of execution activities providing genealogies of processes.
  • the situational model 118 (also referred to herein as “the model”) stores attributes, behaviors, and/or patterns of events, specific events, and forensic data associated with events. This data and other data stored by the situational model 118 may be indexed by specific events or by specific types of events.
  • the situational model may receive events from the routing component 216 and be updated to include the received events by logic associated with the situational model 118 .
  • the situational model 118 may also be updated by actors 220 with forensic data that is associated with events and retrieved by the actors 220 . Further, the situational model 118 may be configured to respond to queries from configurable filters 214 , correlators 218 , or actors 220 with descriptions of attributes, behaviors, and/or patterns of events or with descriptions of specific events.
  • actors 220 of the kernel-level security agent 114 receive events from the scheduler of the kernel-level security agent 114 .
  • Each actor 220 may be specific to a type of event or may handle multiple types of events.
  • an actor 220 may determine if the event was observed by collectors 206 or user mode collectors 208 or was instead generated by a correlator 218 or security service cloud 104 .
  • the actor 220 may gather additional forensic data about the event. Such forensic data may include additional descriptions of the event and may be gathered by interfacing with the operating system 124 .
  • the actor 220 may update the situational model 118 with the forensic data.
  • the actor 220 may also query the situational model 118 to determine attributes, behaviors, and/or patterns or other descriptions associated with the event. Based on those attributes, behaviors, and/or patterns, descriptions, or other rules or heuristics specified by the configuration of the kernel-level security agent 114 , the actor 220 may determine that the event is interesting in some fashion and/or may be associated with malicious code.
  • an actor 220 may update the situation model 118 , may notify the security service cloud 104 of the event, or may heal the computing device 102 .
  • the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event. Such deceiving may be achieved by falsifying data acquired by the malicious code or by falsifying the data transmitted to the adversary.
  • the action taken may be determined by the configuration of the kernel-level security agent 114 .
  • an actor 220 may perform the healing responsive to receiving instructions from the security service cloud 104 to perform the healing. As mentioned above, such instructions may be provided via an event generated by the security service cloud 104 .
  • the security agent architecture 200 includes the communications module 122 .
  • the communications module 122 may represent network protocol stack(s), network interface driver(s), and any other network interface components utilized by the kernel-level security agent 114 to communicate with the security service cloud 104 over the network 106 .
  • the communications module 122 may, as illustrated in FIG. 2 , be a kernel mode component of the computing device 102 . Further, the communications module 122 may transmit events, other notifications, and data associated events from the kernel-level security agent 114 to the security service cloud 104 .
  • the communications module 122 may also transmit configuration updates received from the security service cloud 104 to a configuration manager 222 of the kernel-level security agent 114 and healing instructions and/or events from the security service cloud 104 to an actor 220 .
  • the security agent architecture includes a plurality of managers 120 : a configuration manager 222 , a component manager 224 , a state manager 226 , a storage manager 228 , and an integrity manager 230 .
  • the configuration manager 222 may receive configuration updates from the security service cloud 104 .
  • the configuration manager 222 may receive the updates periodically or as needed.
  • the configuration manager 22 determines what changes to the kernel-level security agent 114 are needed to implement the configuration contained in the configuration update.
  • the configuration may specify a rule that creation of executables by Adobe Reader® is indicative of activity of malicious code and that any executions of such executables should be halted.
  • the configuration manager 222 may invoke the component manager 224 to load a new collector 206 to observe events associated with Adobe® and files created by Adobe Reader®, a configurable filter 214 that notes and dispatches such events, and/or an actor 220 to gather forensic data responsive to creation of an executable by Adobe Reader® and to halt execution of the created executable responsive to the loading of that executable.
  • the configuration update may specify a new configuration manager 222 . Responsive to such an update, the existing configuration manager 222 may invoke the component manager 224 to load the new configuration manager 222 and the integrity manager 230 to ensure continued observation while the configuration manager 222 is updated.
  • the component manager 224 loads new components 116 and managers 120 designed to update or replace existing components 116 or managers 120 .
  • the component manager 224 is invoked by the configuration manager 222 , which may inform the component manager 224 of which new component 116 or manager 120 is to be loaded, which component 116 or manager 120 is designated to be replaced or updated, and may specify a configuration of the new component 116 or manager 120 that implements the configuration update.
  • the component manager 224 may then load the new component 116 or manager 120 while the existing/old component 116 or manager 120 continues to operate.
  • the component manager 224 or some other component 116 or manager 120 of the kernel-level security agent 114 may deactivate the existing/old component 116 or manager 120 that is now replaced by the new component 116 or manager 120 .
  • the state manager 226 may be invoked by the component manager 224 to share state of an existing/old component 116 with a new component 116 .
  • the state manager 226 may keep the state of that interface and pass the interface between the old/existing component 116 and the new component 116 .
  • the storage manager 228 may be an interface to the memory 112 capable of being invoked by other components 116 or managers 120 of the kernel-level security agent 114 to read from and write to the memory 112 .
  • the integrity manager 230 maintains continued observation while core components 116 and managers 120 are updated.
  • the core components 116 and managers 120 are components 116 and managers 120 that always form part of an operating kernel-level security agent 114 . Because updates of such core components 116 and managers 120 can open a window of vulnerability in which malicious code can go undetected, some measure of continued observation is needed during the updates.
  • the integrity manager 230 provided this measure of continued observation by observing events and processes of the computing device 102 during the core component/manager updates.
  • the integrity module 230 may also be configured to detect attempts to delete it or other components 116 or managers 120 of the kernel-level security agent 114 and may prevent those attempts from succeeding.
  • FIGS. 3-5 illustrate example processes 300 , 400 , and 500 . These processes are illustrated as logical flow graphs, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof.
  • the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations.
  • computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types.
  • the order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes.
  • the process 300 includes, at 302 , a kernel-level security agent of a computing device detecting a first action associated with malicious code.
  • the kernel-level security agent gathers data associated with the first action.
  • the kernel-level security agent may then store the gathered data in a model that tracks actions taken by processes of a system which executed the first action.
  • the kernel-level security agent may inform a remote security service of the occurrence of the first action.
  • the kernel-level security agent receives from the remote security system instructions associated with the preventative action or a configuration update for configuring the kernel-level security agent. Also in response to detecting the first action, the kernel-level security agent refrains, at 312 , from performing a preventative action.
  • the kernel-level security agent detects one or more subsequent actions associated with the malicious code and, in response at 316 , performs a preventative action.
  • the one or more subsequent actions occur after the first action.
  • the preventative action is preventing the one or more subsequent actions and further actions by the malicious process or deceiving the an adversary associated with the malicious code.
  • the process 400 includes, at 402 , observing by a kernel-level security agent an event associated with a process executing on the computing device.
  • the kernel-level security agent determines, based at least in part on the observed event, that the process is associated with malicious code.
  • the determining comprises determining that the process is associated with malicious code based at least on part on a model that tracks processes of the computing device.
  • the kernel-level security agent deceives an adversary associated with the malicious code.
  • the deceiving comprises falsifying data acquired by the malicious code.
  • the deceiving comprises falsifying the data transmitted to the adversary.
  • the process 500 includes, at 502 , observing by a kernel-level security agent execution activities of one or more processes of the computing device.
  • the kernel-level security agent stores data associated with the one or more execution activities in a model of the kernel-level security agent, the model representing one or more chains of execution activities.
  • the chains of execution activities represents a genealogy of one of the processes.
  • the kernel-level security agent takes action based at least in part on the one or more chains of execution activities.
  • the taking action comprises halting or deceiving a process associated with malicious activity.
  • a computer-implemented method comprising: detecting a first action associated with malicious code; responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action; upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action.
  • One or more tangible computer-readable media storing computer-executable instructions configured to implement a security agent on a computer device, the security agent performing operations comprising: observing an event associated with a process executing on the computing device; determining, based at least in part on the observed event, that the process is associated with malicious code; and responsive to the determining, deceiving an adversary associated with the malicious code.
  • K The one or more tangible computer-readable media of any of paragraphs H-J, wherein the determining comprises determining that the process is associated with malicious code based at least on part on a model that tracks processes of the computing device.
  • M The one or more tangible computer-readable media of any of paragraphs H-L, wherein the operations further comprise providing gathered data associated with the observed event to a remote security system.
  • N The one or more tangible computer-readable media of any of paragraphs H-M, wherein the operations further comprise preventing an action by the process.
  • P A method implemented by a security agent of a computing device, the method comprising: observing execution activities of one or more processes of the computing device; storing data associated with the one or more execution activities in a model of the security agent, the model representing one or more chains of execution activities; and taking action based at least in part on the one or more chains of execution activities.
  • R The method of paragraph P or Q, wherein the taking action comprises halting or deceiving a process associated with malicious activity.
  • T The method of paragraph S, further comprising receiving, in response, instructions associated with the action or a configuration update for configuring the security agent.
  • V The method of any of paragraphs P-U, wherein the security agent is a kernel-level security agent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Description

RELATED APPLICATIONS
This patent application is a continuation of and claims priority to and the benefit of the U.S. patent application entitled “Security Agent” with Ser. No. 15/393,797, filed on Dec. 29, 2016, which is a continuation of and claims priority to the U.S. patent application entitled “Kernel-Level Security Agent” with Ser. No. 14/140,323, filed on Dec. 24, 2013, now U.S. Pat. No. 9,571,453, issued Feb. 14, 2017, which is a divisional application of and claims priority to the U.S. patent application entitled “Kernel-Level Security Agent” with Ser. No. 13/492,672, filed on Jun. 8, 2012, now U.S. Pat. No. 9,043,903, issued May 26, 2015, each of which is fully incorporated herein by reference.
BACKGROUND
With Internet use forming an ever greater part of day to day life, malicious software—often called “malware”—that steals or destroys system resources, data, and private information is an increasing problem. Governments and businesses devote significant resources to preventing intrusions by malware. Malware comes in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. Some of the threats posed by malware are of such significance that they are described as cyber terrorism or industrial espionage.
Current approaches to these threats include traditional antivirus software, such as Symantec Endpoint Protection, that utilizes signature-based and heuristic techniques to detect malware. These techniques involve receiving malware definitions from a remote security service and scanning a host device on which the antivirus software is implemented for files matching the received definitions.
There are a number of problems with traditional antivirus software, however. Purveyors of malware are often able to react more quickly than vendors of security software, updating the malware to avoid detection. Also, there are periods of vulnerability when new definitions are implemented or when the security software itself is updated. During these periods of vulnerability, there is currently nothing to prevent the intrusion and spread of the malware. Further, antivirus software tends to be a user mode application that loads after the operating system, giving malware a window to avoid detection.
BRIEF DESCRIPTION OF THE DRAWINGS
The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.
FIG. 1 illustrates an example network connecting a computing device configured with a security agent, e.g., a kernel-level security agent, to a security service cloud.
FIG. 2 illustrates an example architecture of the security agent, e.g., kernel-level security agent, used in the network of FIG. 1, including a model, components, and managers.
FIG. 3 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for detecting a first action associated with malicious code, refraining from preventative action while gathering data, and, upon detecting subsequent action(s) associated with the malicious code, performing a preventative action.
FIG. 4 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for observing events, determining that the events are associated with malicious code, and deceiving an adversary associated with the malicious code.
FIG. 5 illustrates an example process implemented by the security agent, e.g., kernel-level security agent, used in the network of FIG. 1 for observing execution activities, storing data associated with the execution activities in a model that represents chains of execution activities, and taking action based on the chains of execution activities.
DETAILED DESCRIPTION
Overview
This disclosure describes, in part, a security agent, e.g., a kernel-level security agent, that operates on a host computing device, including mobile and embedded systems, as a virtual machine/shadow operating system. The kernel-level security agent loads before the operating system of the host computing device. In fact, the kernel-level security agent is loaded very early in the boot-time of the host computing device, by some of the first few dozen instructions. By loading early in boot-time, the kernel-level security agent significantly reduces the window in which malware can become active and interfere with operation of the host computing device or run unobserved on the host computing device. In some embodiments, by leveraging hardware-based security features, the agent can also validate the integrity of its computing operations and data and additionally enhance the level of security provided.
In various embodiments, the kernel-level security agent may be installed on the host computing device in the form of a driver and may be received from a security service. Such a security service may be implemented as a cloud of security service devices (referred to herein as a “security service cloud” or a “remote security system”). In addition to installing the kernel-level security agent, the security service cloud may receive notifications of observed events from the kernel-level security agent, may perform analysis of data associated with those events, may perform healing of the host computing device, and may generate configuration updates and provide those updates to the kernel-level security agent. These interactions between the kernel-level security agent and the security service cloud enable a detection loop that defeats the malware update loop of malware developers (also referred to herein as “adversaries”) and further enable the kernel-level security agent to perform updating while continuously monitoring, eliminating dangerous gaps in security coverage. Also, as used herein, the term “adversaries” includes not only malware developers but also exploit developers, builders and operaters of an attack infrastructure, those conducting target reconnaissance, those executing the operation, those performing data exfiltration, and/or those maintaining persistence in the network, etc. Thus the “adversaries” can include numerous people that are all part of an “adversary” group. Also, the detection loop is focused on defeating not just the malware update loop but all aspects of this attack—the changing of the malware, the changing of the exploits, attack infrastructure, persistence tools, attack tactics, etc.
The detection loop of the kernel-level security agent and security service cloud is enabled by an agent architecture designed in accordance with the principles of the well-known OODA-loop (i.e., observe-orient-detect-act-loop). Rather than using fixed signatures to make quick determinations and responses, the kernel-level security agent observes and analyzes all semantically-interesting events that occur on the host computing device. Kernel-level security agent components known as collectors receive notifications of these semantically-interesting events (e.g., file writes and launching executables) from host operating system hooks or filter drivers, from user-mode event monitors, or from threads monitoring log files or memory locations. These events may then be filtered using configurable filters of the kernel-level security agent and routed/dispatched to event consumers of the kernel-level security agent, such as correlators or actor components. A correlator component notes the fact of the occurrence of the filtered events. An actor component may, for example, gather forensic data associated with an event and update a situation model of the kernel-level security agent with the forensic data. The situation model represents chains of execution activities and genealogies of processes, tracking attributes, behaviors, or patterns of processes executing on the host computing device and enabling an event consumer of the kernel-level security agent to determine when an event is interesting. Upon determining an occurrence of such an interesting event, the event consumer can perform any or all of updating the situational model and performing further observation, generating an event to represent the determination that an interesting event has occurred, notifying the security service cloud of the interesting event, or healing the host computing device by halting execution of a process associated with malicious code or deceiving an adversary associated with the malicious code. In various embodiments, any or all of the observing, filtering, routing/dispatching, and/or utilizing of event consumers may occur in parallel with respect to multiple events.
By looping based on significant events and chains of execution activities of the host computing device rather than on fixed signatures, the kernel-level security agent is able to better detect processes associated with malicious code. While adversaries can easily change malware to avoid signature-based detection, it is significantly more difficult to avoid detection by an agent that monitors and analyzes significant events. Further, by observing events for some time, and not immediately performing preventative action in response to detecting an action associated with malicious code, the kernel-level security agent may fool adversaries into thinking that the malware is working and, when the malware is later halted or deceived, the adversaries may first think to debug their own malware.
In various embodiments, as mentioned, the kernel-level security agent performs updating while continuously monitoring, eliminating dangerous gaps in security coverage. Responsive to receiving a configuration update from the security service cloud, a configuration manager of the kernel-level security agent may invoke a component manager of the kernel-level security agent to load a new component that updates or replaces an existing component. The existing component continues to participate in threat detection while the new component loads, thus ensuring uninterrupted threat detection.
In some embodiments, the kernel-level security agent includes an integrity manager that performs threat detection while core components of the kernel-level security agent or the managers themselves are updated or replaced. Thus, once the kernel-level security agent is installed, some components or manager(s) of the kernel-level security agent are continually involved in detecting threats to the host computing device.
In some embodiments, a kernel-level security agent is described herein. The kernel-level security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the kernel-level security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The kernel-level security agent may also deceive an adversary associated with malicious code. Further, the kernel-level security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.
Example Network and Devices
FIG. 1 illustrates an example network connecting a computing device configured with a security agent, e.g., a kernel-level security agent, to a security service cloud that provides configuration, analysis, and healing to the computing device through the kernel-level security agent. As illustrated in FIG. 1, a computing device 102 may interact with a security service cloud 104 over a network 106. In addition to components such as processors 108, network interfaces 110, and memory 112, the computing device 102 may implement a kernel-level security agent 114, which is shown stored in the memory 112 and executable by the processor(s) 108. The kernel-level security agent 114 may include components 116 to observe events and determine actions to take based on those events, a situational model 118 to track attributes and behaviors of processes of the computing device 102, managers 120 to update the components 116 and provide continual detection during updates, and a communications module 122 to communicate with the security service cloud 104. In addition to the kernel-level security agent 114, the computing device 102 may include an operating system 124, processes 126, and log files 128.
In various embodiments, devices of the security service cloud 104 may also include processors 130, network interfaces 132, and memory 134. The memory 134 may store a communications module 136 to communicate with the kernel-level security agent 114 of the computing device 102, an analysis module 138 to evaluate interesting events identified by the kernel-level security agent 114, a configuration module 140 to generate and provide configuration updates to the kernel-level security agent 114, a healing module 142 to halt or deceive malware executing on the computing device 102, a social module 144 to notify other computing devices or users of the malware detected on the computing device 102, and an administrative user interface (UI) to enable an administrator associated with the security service cloud 104 to view notifications of observed events and make decisions regarding appropriate responses to those events.
In various embodiments, the computing device 102 and devices of the security service cloud 104 may each be or include a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices. In one implementation, the computing device(s) of the security service cloud 104 represent a plurality of computing devices working in communication, such as a cloud computing network of nodes. When implemented on multiple computing devices, the security service cloud 104 may distribute the modules and data 136-146 of the security service cloud 104 among the multiple computing devices. In some implementations, one or more of the computing device(s) of the computing device 102 or the security service cloud 104 represents one or more virtual machines implemented on one or more computing devices.
In some embodiments, the network 106 may be include any one or more networks, such as wired networks, wireless networks, and combinations of wired and wireless networks. Further, the network 106 may include any one or combination of multiple different types of public or private networks (e.g., cable networks, the Internet, wireless networks, etc.). In some instances, the computing device 102 and the security service cloud 104 communicate over the network using a secure protocol (e.g., https) and/or any other protocol or set of protocols, such as the transmission control protocol/Internet protocol (TCP/IP).
As mentioned, the computing device 102 includes processor(s) 108 and network interface(s) 110. The processor(s) 108 may be or include any sort of processing unit, such as a central processing unit (CPU) or a graphic processing unit (GPU). The network interface(s) 110 allow the computing device 102 to communicate with one or both of the security service cloud 104 and other devices. The network interface(s) 110 may send and receive communications through one or both of the network 106 or other networks. The network interface(s) 110 may also support both wired and wireless connection to various networks.
The memory 112 (and other memories described herein) may store an array of modules and data, and may include volatile and/or nonvolatile memory, removable and/or non-removable media, and the like, which may be implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data. Such memory includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, RAID storage systems, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
As mentioned, the memory 112 includes a kernel-level security agent 114. The kernel-level security agent 114 operates as a virtual machine/shadow operating system. The kernel-level security agent 114 loads before the operating system 124 of the computing device 102. In fact, the kernel-level security agent 114 is loaded very early in the boot-time of the computing device 102, by some of the first few dozen instructions.
As illustrated in FIG. 1, the kernel-level security agent 114 includes components 116 to observe events and determine appropriate action(s) to take based on those events and on a situational model 118, as well as the situational model 118, managers 120 to receive configuration updates from the security service cloud 104 and to perform the updates while continuing to observe events, and a communications module 122 to communicate with the security service cloud. Also the kernel-level security agent 114 may include a hypervisor or one or more pre-boot components. The pre-boot components may or may not leverage hardware provided security features. These modules and data 116-122 of the kernel-level security agent 114 are described in further detail below with reference to the kernel-level security agent architecture 200 of FIG. 2.
As is further shown in FIG. 1, the memory 112 includes an operating system 124 of computing device 102. The operating system 124 may include hooks or filter drivers that allow other processes, such as the kernel-level security agent 114 to receive notifications of the occurrence or non-occurrence of events such as file creates, reads and writes, launching of executables, etc. The memory 112 also includes processes 126 and log files 128 that are monitored by the kernel-level security agent 114.
As mentioned, the devices of the security service cloud 104 include processor(s) 130 and network interface(s) 132. The processor(s) 130 may be or include any sort of processing units, such as central processing units (CPU) or graphic processing units (GPU). The network interface(s) 132 allow the devices of the security service cloud 104 to communicate with one or both of the computing device 102 and other devices. The network interface(s) 132 may send and receive communications through one or both of the network 106 or other networks. The network interface(s) 132 may also support both wired and wireless connection to various networks.
The memory 134 (and other memories described herein) may store an array of modules and data, and may include volatile and/or nonvolatile memory, removable and/or non-removable media, and the like, which may be implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data. Such memory includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, RAID storage systems, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
As mentioned, the memory 134 includes a communications module 136. The communications module may comprise any one or more protocol stacks, such as a TCP/IP stack, device drivers to network interfaces 132, and any other modules or data that enable the devices of the security service cloud 104 to send and receive data over network 106.
In various embodiments, analysis module 138 may receive notifications of interesting events from kernel-level security agents 114 of computing devices, as well as forensic data associated with those interesting events. Upon receiving notification of an interesting event, the analysis module 138 may determine if related notifications have been received from other kernel-level security agents 114 of other computing devices 102. Also or instead, the analysis module 138 may evaluate the interesting event based on one or more rules or heuristics. The analysis module 138 may determine that an interesting event may be associated with malicious code based on these determinations and evaluations and may, in response, perform any or all of generating an event and providing the event to computing device 102 (e.g., for diagnostic or healing purposes), invoking the configuration module 140 to trigger a configuration update, invoking the healing module 142 to perform healing of computing devices 102 associated with the interesting event or deceiving of an adversary associated with the malicious code, or invoke the social module 144 to notify entities or persons associated with other computing device 102 of the potential malicious code. The analysis module 138 may also maintain and utilize one or more models, such as models specific to individual computing devices 102, to types of computing devices, to entities, or to a generic device. The analysis module 138 may update these models based on the received notifications and utilize the models in analyzing the interesting events. Additionally, the analysis module 138 may alert an administrator associated with the security service cloud 104 through the administrator UI 146.
In various embodiments, the configuration module 140 stored in memory 134 may generate configuration updates and provide those updates through the communications module 136. The configuration module 140 may generate device-specific configuration updates or configuration updates applicable to multiple devices. Such a configuration manager 140 may also be referred to as an ontology compiler and may be configured to provide security policies specific to hardware, OS, and language constraints of different computing devices 102. The configuration updates may include both updates responsive to interesting events and updates to the modules and data 116-122 comprising the kernel-level security agents 114. The configuration module 140 may generate and provide configuration updates responsive to a notification from the computing device 102 or independently of any prior notification from the computing device 102.
The healing module 142 may determine appropriate remedies to events determined to be associated with malicious code. For example, the healing module 142 may determine that an appropriate remedy is to halt a process associated with malicious code, to remove one or more executables, files, or registry keys, or to deceive malicious code by having it write to a dummy file rather than an operating system file, having it read falsified data, or falsifying a transmission associated with the malicious code. The healing module 142 may then instruct the kernel-level security agent 114 to perform the determined remedy. In some embodiments, the healing module 142 may provide the instructions via an event generated by the healing module 142 and provided to the kernel-level security agent 114.
In various embodiments, the social module 144 may share notifications of events determined to be associated with malicious code with individuals at other entities. The malicious code may not have affected the other entities yet, but they may be interested in learning about the malicious code. For example, if the malicious code affects devices of one defense department contractor, other defense department contractors may desire to know about the malicious code, as they may be more likely to be affected by it. The social module 144 may share notifications of malicious code and other information about the malicious code if both entities—the affected entity and the interested entity—agree to the sharing of the notifications.
In further embodiments, the administrative UI 146 may enable an administrator of the security service cloud 104 to be alerted to events determined to be associated with malicious code, to examine the data associated with those events, and to instruct the security service cloud 104 regarding an appropriate response. The administrative UI 146 may also enable an examination of the events and associated data by the administrator without first providing an alert.
In some instances, any or all of the computing device 102 or the devices 104 of the security service cloud 104 may have features or functionality in addition to those that FIG. 1 illustrates. For example, any or all of the computing device 102 or the devices 104 of the security service cloud 104 may also include additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. The additional data storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. In addition, some or all of the functionality described as residing within any or all of the computing device 102 or the devices 104 of the security service cloud 104 may reside remotely from that/those device(s), in some implementations.
Example Agent Architecture
FIG. 2 illustrates an example architecture of the kernel-level security agent, including a model, components, and managers. As illustrated, the security agent architecture 200 of the kernel-level security agent 114 includes modules and data 116-122 in a kernel mode 202 of the computing device 102 and components 116 in a user mode 204 of the computing device 102. In other embodiments, the security agent architecture 200 may only include the modules and data 116-122 in the kernel mode 202. The kernel mode 202 and user mode 204 correspond to protection domains—also known as rings—that protect data and functionality of the computing device 102 from faults and malware. Typically, a user mode, such as user mode 204, is associated with the outermost ring and the least level of privileges to access memory and functionality. This ring is often referred to as “ring 3” and includes many application processes. A kernel mode, such as kernel mode 202, is associated with an inner ring (sometimes the innermost ring, although in modern computing devices there is sometimes an additional level of privilege, a “ring—1”) and a higher level of privileges to access memory and functionality. This ring is often referred to as “ring 0” and typically includes operating system processes.
In various embodiments, the security agent architecture 200 includes collectors 206. These collectors 206 are components 116 of the kernel-level security agent 114 that observe events associated with one or more processes, such as kernel mode processes. Events may include both actions performed by processes and non-occurrence of expected actions. For example, a collector 206 may register with a hook or filter driver offered by the operating system 124 to receive notifications of the occurrence or non-occurrence of certain events, such as file creates, reads and writes, and loading executables. A collector 206 may also monitor locations in memory 112 or log files 128, or spawn a thread to do so, observing events associated with the log files or memory locations. A collector 206 may observe multiple kinds of events, or each type of event may be associated with a different collector 206. The events observed by the collectors 206 may be specified by a configuration of the kernel-level security agent 114. In some embodiments, the collectors 206 observe all events on the computing device 102 and the configuration specifies configurable filters 214 for filtering and dispatching those events. In other embodiments, the configuration specifies which collectors 206 should be loaded to observe specific types of events. In yet other embodiments, the configuration both specifies which collectors 206 should be loaded and configurable filters 214 for filtering and dispatching events observed by those collectors 206.
As is further shown in FIG. 2, the security agent architecture 200 may include user mode collectors 208 to observe events that may not be visible to kernel mode processes. Such events could include, for example, rendering of display graphics for display on a display screen of the computing device 102. To observe these events, the kernel-level security agent 114 is further configured to load user mode collectors 208 as user mode modules of the computing device 102. Like collectors 206, user mode collectors 208 may observe multiple kinds of events, or each type of event may be associated with a different user mode collector 208. The events observed by the user mode collectors 208 may be specified by a configuration of the kernel-level security agent 114. In some embodiments, the user mode collectors 208 observe all user mode events on the computing device 102 and the configuration specifies configurable filters 210 for filtering and dispatching the events. In other embodiments, the configuration specifies which user mode collectors 208 should be loaded to observe specific types of events. In yet other embodiments, the configuration both specifies which user mode collectors 208 should be loaded and configurable filters 210 for filtering and dispatching those events.
As mentioned, the security agent architecture may further include configurable filters 210. The configurable filters 210 may be user mode components 116 of the kernel-level security agent 114 that filter user mode events observed by the user mode collectors 208 based on the configuration of the kernel-level security agent 114. The configurable filters 210 may perform any filtering of the user mode events that does not require querying of the situational mode 118 so as to maximize the filtering of user mode events performed in the user mode 204. Maximizing the filtering performed in the user mode 204 minimizes the number of observed user mode events that are transferred from user mode 204 to kernel mode 202 and thus conserves resources of the computing device 102.
In some embodiments, the filtered user mode events are transmitted between the user mode 204 and the kernel mode 202 by an input/output (I/O) mechanism 212 of the kernel-level security agent 114. The I/O mechanism 212 may be, for example, a ring buffer or other known mechanism for transmitting data between protection domains. In some embodiments, the I/O mechanism 212 is not a component of the kernel-level security agent 114 but, rather, is part of the other modules and data of the computing device 102.
In various embodiments, a filtering and dispatch component 214, representative of configurable filters 214 each associated with one or more of the collectors 206, routing component 216, correlators 218, situational model 118, actors 220, and/or communications module 122, receives observed events from the collectors 206 and user mode events from the via the I/O mechanism 212. While FIG. 2 illustrates the filtering and dispatch component 214 as being logically associated with the routing component 216, the filtering and dispatch component 214 may instead comprise one or more components (e.g., configurable filters 214) that are separate from the routing component 216. Upon receiving events, the filtering and dispatch component 214 may perform any filtering specified by the configuration of the kernel-level security agent 114. For example, the configuration may specify filtering of all received events or only of specific types of received events. Such filtering may, in some embodiments, involve querying the situational model 118 to determine attributes, behaviors, patterns, or other descriptions of the process that is associated with the event being filtered. The filtering may also involve application of one or more rules or heuristics of the configuration.
Upon filtering the events, the filtering and dispatch component 214 may dispatch the events using the routing component 216, which may be a throw-forward bus or other type of bus. The routing component 216 may in turn transmit events to any or all of correlators 218, the situational model 118, actors 220, or the communications module 122. In some embodiments, events that are significant in aggregate, but not alone, or events that do not necessitate the kernel-level security agent 114 to copy associated data associated with the events, are dispatched via the routing component 216 to the correlators 218. In some embodiment, these may be synchronous events that do not utilize a scheduler of the kernel-level security agent 114. In further embodiments, events that are significant in isolation or that necessitate the kernel-level security agent 114 to copy associated data associated with the events are dispatched via the routing component 216 to a scheduler of the kernel-level security agent 114 for scheduled delivery to the actors 220. As these events are dispatched to a scheduler, they may be asynchronous events.
In various embodiments, the correlators 218 are components 116 of the kernel-level security agent 114 that note the fact of the occurrence of specific types of events. Each correlator 218 may be specific to a single type of event or may be associated with multiple types of events. A correlator 218 may note the fact of the occurrence of a filtered event and, based at least in part on an association between the occurrence of the filtered event and at least one of a threshold, a set, a sequence, a Markov chain, or a finite state machine, take an action. For example, a correlator 218 may maintain a counter of the numbers of occurrences of an event (e.g., ten writes to file X) and, at some threshold, may generate an event to indicate that the number of occurrences of a type of event is potentially interesting. Such a threshold may be a set number specified in the configuration of the kernel-level security agent 114 or may be a number determined by querying the situational model 118 to determine the typical pattern of occurrences of the type of event within a time period. The generated event may indicate the type of observed event and the number of occurrences of the observed event. A correlator 218 that has generated an event may transmit the event via the routing component 216 to any or all of the situational model 118, an actor 220, or the communications module 122. In some embodiments, a configurable filter 214 of the filter and dispatch component 214 may be used to filter the event generated by the correlator 218.
In further embodiments, the situation model 118 of the kernel-level security agent 114 may comprise any one or more databases, files, tables, or other structures that track attributes, behaviors, and/or patterns of objects or processes of the computing device 102. These attributes, behaviors, and/or patterns may represent execution activities of processes and the situational model 118 may represent chains of execution activities providing genealogies of processes. The situational model 118 (also referred to herein as “the model”) stores attributes, behaviors, and/or patterns of events, specific events, and forensic data associated with events. This data and other data stored by the situational model 118 may be indexed by specific events or by specific types of events. The situational model may receive events from the routing component 216 and be updated to include the received events by logic associated with the situational model 118. The situational model 118 may also be updated by actors 220 with forensic data that is associated with events and retrieved by the actors 220. Further, the situational model 118 may be configured to respond to queries from configurable filters 214, correlators 218, or actors 220 with descriptions of attributes, behaviors, and/or patterns of events or with descriptions of specific events.
In various embodiments, actors 220 of the kernel-level security agent 114 receive events from the scheduler of the kernel-level security agent 114. Each actor 220 may be specific to a type of event or may handle multiple types of events. Upon receiving an event, an actor 220 may determine if the event was observed by collectors 206 or user mode collectors 208 or was instead generated by a correlator 218 or security service cloud 104. The actor 220 may gather additional forensic data about the event. Such forensic data may include additional descriptions of the event and may be gathered by interfacing with the operating system 124. Upon gathering the forensic data, the actor 220 may update the situational model 118 with the forensic data. The actor 220 may also query the situational model 118 to determine attributes, behaviors, and/or patterns or other descriptions associated with the event. Based on those attributes, behaviors, and/or patterns, descriptions, or other rules or heuristics specified by the configuration of the kernel-level security agent 114, the actor 220 may determine that the event is interesting in some fashion and/or may be associated with malicious code.
Upon determining that an event is interesting, potentially associated with malicious code, or upon receiving an event generated by a correlator 218 or security service cloud, an actor 220 may update the situation model 118, may notify the security service cloud 104 of the event, or may heal the computing device 102. As mentioned above, the healing may involve halting a process associated with the event, deleting a process associated with the event (or malicious code associated with that process), or deceiving an adversary associated with malicious code that is in turn associated with the event. Such deceiving may be achieved by falsifying data acquired by the malicious code or by falsifying the data transmitted to the adversary. The action taken may be determined by the configuration of the kernel-level security agent 114. In some embodiments, an actor 220 may perform the healing responsive to receiving instructions from the security service cloud 104 to perform the healing. As mentioned above, such instructions may be provided via an event generated by the security service cloud 104.
In various embodiments, the security agent architecture 200 includes the communications module 122. The communications module 122 may represent network protocol stack(s), network interface driver(s), and any other network interface components utilized by the kernel-level security agent 114 to communicate with the security service cloud 104 over the network 106. The communications module 122 may, as illustrated in FIG. 2, be a kernel mode component of the computing device 102. Further, the communications module 122 may transmit events, other notifications, and data associated events from the kernel-level security agent 114 to the security service cloud 104. The communications module 122 may also transmit configuration updates received from the security service cloud 104 to a configuration manager 222 of the kernel-level security agent 114 and healing instructions and/or events from the security service cloud 104 to an actor 220.
As shown in FIG. 2, the security agent architecture includes a plurality of managers 120: a configuration manager 222, a component manager 224, a state manager 226, a storage manager 228, and an integrity manager 230. And as mentioned above, the configuration manager 222 may receive configuration updates from the security service cloud 104. The configuration manager 222 may receive the updates periodically or as needed. The configuration manager 22 then determines what changes to the kernel-level security agent 114 are needed to implement the configuration contained in the configuration update. For example, the configuration may specify a rule that creation of executables by Adobe Reader® is indicative of activity of malicious code and that any executions of such executables should be halted. To handle such a configuration, the configuration manager 222 may invoke the component manager 224 to load a new collector 206 to observe events associated with Adobe® and files created by Adobe Reader®, a configurable filter 214 that notes and dispatches such events, and/or an actor 220 to gather forensic data responsive to creation of an executable by Adobe Reader® and to halt execution of the created executable responsive to the loading of that executable.
In another example, the configuration update may specify a new configuration manager 222. Responsive to such an update, the existing configuration manager 222 may invoke the component manager 224 to load the new configuration manager 222 and the integrity manager 230 to ensure continued observation while the configuration manager 222 is updated.
In various embodiments, the component manager 224 loads new components 116 and managers 120 designed to update or replace existing components 116 or managers 120. As mentioned, the component manager 224 is invoked by the configuration manager 222, which may inform the component manager 224 of which new component 116 or manager 120 is to be loaded, which component 116 or manager 120 is designated to be replaced or updated, and may specify a configuration of the new component 116 or manager 120 that implements the configuration update. The component manager 224 may then load the new component 116 or manager 120 while the existing/old component 116 or manager 120 continues to operate. After the new component 116 or manager 120 has been loaded, the component manager 224 or some other component 116 or manager 120 of the kernel-level security agent 114 may deactivate the existing/old component 116 or manager 120 that is now replaced by the new component 116 or manager 120.
In various embodiments, the state manager 226 may be invoked by the component manager 224 to share state of an existing/old component 116 with a new component 116. For example, if the component 116 is an actor 220 having an interface with the operating system 124, the state manager 226 may keep the state of that interface and pass the interface between the old/existing component 116 and the new component 116.
In some embodiments, the storage manager 228 may be an interface to the memory 112 capable of being invoked by other components 116 or managers 120 of the kernel-level security agent 114 to read from and write to the memory 112.
As mentioned above, the integrity manager 230 maintains continued observation while core components 116 and managers 120 are updated. The core components 116 and managers 120 are components 116 and managers 120 that always form part of an operating kernel-level security agent 114. Because updates of such core components 116 and managers 120 can open a window of vulnerability in which malicious code can go undetected, some measure of continued observation is needed during the updates. The integrity manager 230 provided this measure of continued observation by observing events and processes of the computing device 102 during the core component/manager updates. In some embodiments, the integrity module 230 may also be configured to detect attempts to delete it or other components 116 or managers 120 of the kernel-level security agent 114 and may prevent those attempts from succeeding.
Example Processes
FIGS. 3-5 illustrate example processes 300, 400, and 500. These processes are illustrated as logical flow graphs, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes.
The process 300 includes, at 302, a kernel-level security agent of a computing device detecting a first action associated with malicious code. At 304, responsive to detecting the first action, the kernel-level security agent gathers data associated with the first action. At 306, the kernel-level security agent may then store the gathered data in a model that tracks actions taken by processes of a system which executed the first action. Alternatively or additionally, at 308, the kernel-level security agent may inform a remote security service of the occurrence of the first action. At 310, in response, the kernel-level security agent receives from the remote security system instructions associated with the preventative action or a configuration update for configuring the kernel-level security agent. Also in response to detecting the first action, the kernel-level security agent refrains, at 312, from performing a preventative action.
At 314, the kernel-level security agent detects one or more subsequent actions associated with the malicious code and, in response at 316, performs a preventative action. The one or more subsequent actions occur after the first action. At 316 a, the preventative action is preventing the one or more subsequent actions and further actions by the malicious process or deceiving the an adversary associated with the malicious code.
The process 400 includes, at 402, observing by a kernel-level security agent an event associated with a process executing on the computing device.
At 404, the kernel-level security agent determines, based at least in part on the observed event, that the process is associated with malicious code. At 404 a, the determining comprises determining that the process is associated with malicious code based at least on part on a model that tracks processes of the computing device.
At 406, responsive to the determining at 404, the kernel-level security agent deceives an adversary associated with the malicious code. At 406 a, the deceiving comprises falsifying data acquired by the malicious code. At 406 b, the deceiving comprises falsifying the data transmitted to the adversary.
The process 500 includes, at 502, observing by a kernel-level security agent execution activities of one or more processes of the computing device.
At 504, the kernel-level security agent stores data associated with the one or more execution activities in a model of the kernel-level security agent, the model representing one or more chains of execution activities. In some embodiments, at least one of the chains of execution activities represents a genealogy of one of the processes.
At 506, the kernel-level security agent takes action based at least in part on the one or more chains of execution activities. At 506 a, the taking action comprises halting or deceiving a process associated with malicious activity.
Example Clauses
A: A computer-implemented method comprising: detecting a first action associated with malicious code; responsive to detecting the first action, gathering data associated with the first action while refraining from taking a preventative action; upon detecting one or more subsequent actions associated with malicious code, the one or more subsequent actions occurring after the first action, performing the preventative action.
B: The method of paragraph A, wherein the preventative action is preventing the one or more subsequent actions and further actions by the malicious process or deceiving an adversary associated with the malicious code.
C: The method of paragraph A or B, further comprising storing the gathered data in a model that tracks actions taken by processes of a system which executed the first action.
D: The method of any of paragraphs A-C, further comprising providing the gathered data to a remote security system.
E: The method of paragraph D, further comprising receiving, in response, instructions associated with the preventative action or a configuration update for configuring a security agent that performs the detecting, gathering, and performing.
F: The method of any of paragraphs A-E, wherein the detecting, gathering, and performing are performed by a kernel-level security agent that utilizes configurable filters.
G: The method of any of paragraphs A-F, wherein detecting the first action or the one or more subsequent actions comprises observing events associated with multiple processes or threads in parallel.
H. One or more tangible computer-readable media storing computer-executable instructions configured to implement a security agent on a computer device, the security agent performing operations comprising: observing an event associated with a process executing on the computing device; determining, based at least in part on the observed event, that the process is associated with malicious code; and responsive to the determining, deceiving an adversary associated with the malicious code.
I: The one or more tangible computer-readable media of paragraph H, wherein the deceiving comprises falsifying data acquired by the malicious code.
J: The one or more tangible computer-readable media of paragraph H or I, wherein the deceiving comprises falsifying the data transmitted to the adversary.
K: The one or more tangible computer-readable media of any of paragraphs H-J, wherein the determining comprises determining that the process is associated with malicious code based at least on part on a model that tracks processes of the computing device.
L: The one or more tangible computer-readable media of any of paragraphs H-K, wherein the security agent utilizes configurable filters.
M: The one or more tangible computer-readable media of any of paragraphs H-L, wherein the operations further comprise providing gathered data associated with the observed event to a remote security system.
N: The one or more tangible computer-readable media of any of paragraphs H-M, wherein the operations further comprise preventing an action by the process.
O: The one or more tangible computer-readable media of any of paragraphs H-N, wherein the security agent is a kernel-level security agent.
P: A method implemented by a security agent of a computing device, the method comprising: observing execution activities of one or more processes of the computing device; storing data associated with the one or more execution activities in a model of the security agent, the model representing one or more chains of execution activities; and taking action based at least in part on the one or more chains of execution activities.
Q: The method of paragraph P, wherein at least one of the chains of execution activities represents a genealogy of one of the processes.
R: The method of paragraph P or Q, wherein the taking action comprises halting or deceiving a process associated with malicious activity.
S: The method of any of paragraphs P-R, further comprising providing the stored data to a remote security system.
T: The method of paragraph S, further comprising receiving, in response, instructions associated with the action or a configuration update for configuring the security agent.
U: The method of any of paragraphs P-T, wherein the security agent utilizes configurable filters.
V: The method of any of paragraphs P-U, wherein the security agent is a kernel-level security agent.
Conclusion
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claims.

Claims (20)

What is claimed is:
1. A computing system, comprising:
one or more processors;
a memory configured to store a model associated with a kernel-level security agent, and computer-executable instructions associated with the kernel-level security agent that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
loading the kernel-level security agent before loading an operating system of the computing system;
observing, by the kernel-level security agent, execution activities of at least two processes executing on the computing system;
storing, by the kernel-level security agent, first data associated with a first execution activity of the execution activities in the model;
storing, by the kernel-level security agent, second data associated with a second execution activity of the execution activities in the model, wherein the model represents at least a first chain of execution activities; and
taking, by the kernel-level security agent, action based at least in part on the first chain of execution activities.
2. The computing system of claim 1, wherein the first chain of execution activities represents a genealogy of at least one of the at least two processes.
3. The computing system of claim 1, wherein the taking the action comprises halting or deceiving a process of the at least two processes, the process being associated with malicious activity.
4. The computing system of claim 1, wherein the operations further comprise providing, by the kernel-level security agent, one or more of the first data or the second data to a remote security system.
5. The computing system of claim 4, wherein the operations further comprise receiving, by the kernel-level security agent in response to providing the one or more of the first data or the second data to the remote security system, instructions associated with the action or a configuration update for configuring the kernel-level security agent.
6. The computing system of claim 5, wherein the configuration update comprises a configurable filter, and the operations further comprise
detecting, by the kernel-level security agent, a subsequent action associated with malicious code, based at least in part on the configurable filter.
7. The computing system of claim 1, wherein the kernel-level security agent observes the execution activities of the at least two processes based on one or more of hooks or filter drivers of the operating system.
8. The computing system of claim 1, wherein the kernel-level security agent observes the execution activities at least in part by loading user mode collectors configured to observe user mode events associated with one or more of the at least two processes.
9. The computing system of claim 8, wherein the kernel-level security agent filters the user mode events based on a configurable filter.
10. A computer-implemented method, comprising:
loading a kernel-level security agent on a computing system, prior to loading an operating system of the computing system;
observing, by the kernel-level security agent, execution activities of at least two processes executing on the computing system;
storing, by the kernel-level security agent, first data associated with a first execution activity of the execution activities in a model of the kernel-level security agent;
storing, by the kernel-level security agent, second data associated with a second execution activity of the execution activities in the model, wherein the model represents at least a first chain of execution activities; and
taking, by the kernel-level security agent, action based at least in part on the first chain of execution activities.
11. The computer-implemented method of claim 10, wherein the first chain of execution activities represents a genealogy of at least one of the at least two processes.
12. The computer-implemented method of claim 10, wherein the taking the action comprises halting or deceiving a process of the at least two processes, the process being associated with malicious activity.
13. The computer-implemented method of claim 10, further comprising providing, by the kernel-level security agent, one or more of the first data or the second data to a remote security system.
14. The computer-implemented method of claim 10, wherein the kernel-level security agent observes the execution activities of the at least two processes based on one or more of hooks or filter drivers of the operating system.
15. The computer-implemented method of claim 10, wherein the kernel-level security agent observes the execution activities at least in part by loading user mode collectors configured to observe user mode events associated with one or more of the at least two processes.
16. One or more non-transitory computer-readable media storing computer-executable instructions associated with a kernel-level security agent that, when executed by one or more processors of a computing system, cause the one or more processors to perform operations comprising:
loading the kernel-level security agent, prior to loading an operating system of the computing system;
observing, by the kernel-level security agent, execution activities of at least two processes executing on the computing system;
storing, by the kernel-level security agent, first data associated with a first execution activity of the execution activities in a model of the kernel-level security agent;
storing, by the kernel-level security agent, second data associated with a second execution activity of the execution activities in the model, wherein the model represents at least a first chain of execution activities; and
taking, by the kernel-level security agent, action based at least in part on the first chain of execution activities.
17. The one or more non-transitory computer-readable media of claim 16, wherein the first chain of execution activities represents a genealogy of at least one of the at least two processes.
18. The one or more non-transitory computer-readable media of claim 16, wherein the taking the action comprises halting or deceiving a process of the at least two processes, the process being associated with malicious activity.
19. The one or more non-transitory computer-readable media of claim 16, wherein the operations further comprise providing, by the kernel-level security agent, one or more of the first data or the second data to a remote security system.
20. The one or more non-transitory computer-readable media of claim 16, wherein the kernel-level security agent observes the execution activities of the at least two processes based on at least one of:
one or more of hooks or filter drivers of the operating system, or
user mode collectors configured to observe user mode events associated with one or more of the at least two processes.
US16/007,507 2012-06-08 2018-06-13 Security agent Active 2032-08-08 US10853491B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/007,507 US10853491B2 (en) 2012-06-08 2018-06-13 Security agent

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US13/492,672 US9043903B2 (en) 2012-06-08 2012-06-08 Kernel-level security agent
US14/140,323 US9571453B2 (en) 2012-06-08 2013-12-24 Kernel-level security agent
US15/393,797 US10002250B2 (en) 2012-06-08 2016-12-29 Security agent
US16/007,507 US10853491B2 (en) 2012-06-08 2018-06-13 Security agent

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/393,797 Continuation US10002250B2 (en) 2012-06-08 2016-12-29 Security agent

Publications (2)

Publication Number Publication Date
US20190138723A1 US20190138723A1 (en) 2019-05-09
US10853491B2 true US10853491B2 (en) 2020-12-01

Family

ID=49712456

Family Applications (6)

Application Number Title Priority Date Filing Date
US13/492,672 Active 2032-07-23 US9043903B2 (en) 2012-06-08 2012-06-08 Kernel-level security agent
US14/140,323 Active US9571453B2 (en) 2012-06-08 2013-12-24 Kernel-level security agent
US14/709,779 Active US9621515B2 (en) 2012-06-08 2015-05-12 Kernel-level security agent
US15/393,797 Active US10002250B2 (en) 2012-06-08 2016-12-29 Security agent
US15/483,153 Active US9904784B2 (en) 2012-06-08 2017-04-10 Kernel-level security agent
US16/007,507 Active 2032-08-08 US10853491B2 (en) 2012-06-08 2018-06-13 Security agent

Family Applications Before (5)

Application Number Title Priority Date Filing Date
US13/492,672 Active 2032-07-23 US9043903B2 (en) 2012-06-08 2012-06-08 Kernel-level security agent
US14/140,323 Active US9571453B2 (en) 2012-06-08 2013-12-24 Kernel-level security agent
US14/709,779 Active US9621515B2 (en) 2012-06-08 2015-05-12 Kernel-level security agent
US15/393,797 Active US10002250B2 (en) 2012-06-08 2016-12-29 Security agent
US15/483,153 Active US9904784B2 (en) 2012-06-08 2017-04-10 Kernel-level security agent

Country Status (10)

Country Link
US (6) US9043903B2 (en)
EP (3) EP4404508A3 (en)
JP (2) JP6212548B2 (en)
AU (1) AU2013272198A1 (en)
BR (1) BR112014030746A2 (en)
CA (1) CA2872786A1 (en)
IL (1) IL235905B (en)
IN (1) IN2014DN09583A (en)
SG (1) SG11201407292QA (en)
WO (1) WO2013184281A1 (en)

Families Citing this family (94)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8510596B1 (en) 2006-02-09 2013-08-13 Virsec Systems, Inc. System and methods for run time detection and correction of memory corruption
US9635048B2 (en) * 2011-03-09 2017-04-25 Irdeto B.V. Method and system for dynamic platform security in a device operating system
US9043903B2 (en) 2012-06-08 2015-05-26 Crowdstrike, Inc. Kernel-level security agent
US9292881B2 (en) 2012-06-29 2016-03-22 Crowdstrike, Inc. Social sharing of security information in a group
US10409980B2 (en) * 2012-12-27 2019-09-10 Crowdstrike, Inc. Real-time representation of security-relevant system state
US10127379B2 (en) * 2013-03-13 2018-11-13 Mcafee, Llc Profiling code execution
WO2014145805A1 (en) 2013-03-15 2014-09-18 Mandiant, Llc System and method employing structured intelligence to verify and contain threats at endpoints
US9740886B2 (en) * 2013-03-15 2017-08-22 Sony Interactive Entertainment Inc. Enhanced security for hardware decoder accelerator
US9158914B2 (en) * 2013-04-19 2015-10-13 Crowdstrike, Inc. Executable component injection utilizing hotpatch mechanisms
US9852290B1 (en) * 2013-07-12 2017-12-26 The Boeing Company Systems and methods of analyzing a software component
WO2015038944A1 (en) 2013-09-12 2015-03-19 Virsec Systems, Inc. Automated runtime detection of malware
KR102125923B1 (en) * 2013-10-24 2020-06-24 삼성전자 주식회사 Method and apparatus for upgrading operating system of a electronic device
US20150222646A1 (en) * 2014-01-31 2015-08-06 Crowdstrike, Inc. Tagging Security-Relevant System Objects
US20150304343A1 (en) 2014-04-18 2015-10-22 Intuit Inc. Method and system for providing self-monitoring, self-reporting, and self-repairing virtual assets in a cloud computing environment
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US9866581B2 (en) 2014-06-30 2018-01-09 Intuit Inc. Method and system for secure delivery of information to computing environments
US9276945B2 (en) * 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications
US10289405B2 (en) 2014-03-20 2019-05-14 Crowdstrike, Inc. Integrity assurance and rebootless updating during runtime
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US9798882B2 (en) * 2014-06-06 2017-10-24 Crowdstrike, Inc. Real-time model of states of monitored devices
CA2953793C (en) 2014-06-24 2021-10-19 Virsec Systems, Inc. System and methods for automated detection of input and output validation and resource management vulnerability
US10356109B2 (en) * 2014-07-21 2019-07-16 Entit Software Llc Security indicator linkage determination
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US11507663B2 (en) 2014-08-11 2022-11-22 Sentinel Labs Israel Ltd. Method of remediating operations performed by a program and system thereof
US9710648B2 (en) * 2014-08-11 2017-07-18 Sentinel Labs Israel Ltd. Method of malware detection and system thereof
US10102374B1 (en) 2014-08-11 2018-10-16 Sentinel Labs Israel Ltd. Method of remediating a program and system thereof by undoing operations
US9940336B2 (en) * 2014-10-24 2018-04-10 Splunk Inc. File monitoring
US9565093B1 (en) * 2014-12-15 2017-02-07 Symantec Corporation Systems and methods for anticipating file-security queries
US10032041B2 (en) * 2015-05-30 2018-07-24 Apple Inc. Storage volume protection using restricted resource classes
KR101666176B1 (en) * 2015-06-25 2016-10-14 한국전자통신연구원 Apparatus and method for of monitoring application based on android platform
US10395029B1 (en) 2015-06-30 2019-08-27 Fireeye, Inc. Virtual system and method with threat protection
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US10216927B1 (en) 2015-06-30 2019-02-26 Fireeye, Inc. System and method for protecting memory pages associated with a process using a virtualization layer
US10339316B2 (en) * 2015-07-28 2019-07-02 Crowdstrike, Inc. Integrity assurance through early loading in the boot phase
US10033759B1 (en) 2015-09-28 2018-07-24 Fireeye, Inc. System and method of threat detection under hypervisor control
CN105389197B (en) * 2015-10-13 2019-02-26 北京百度网讯科技有限公司 Operation method and device for capturing for the virtualization system based on container
WO2017086928A1 (en) * 2015-11-17 2017-05-26 Hewlett Packard Enterprise Development Lp Handling network threats
US10257223B2 (en) * 2015-12-21 2019-04-09 Nagravision S.A. Secured home network
US20170195364A1 (en) * 2016-01-06 2017-07-06 Perception Point Ltd. Cyber security system and method
AU2017223566B2 (en) 2016-02-23 2021-10-21 Carbon Black, Inc. Cybersecurity systems and techniques
US20210049292A1 (en) * 2016-03-07 2021-02-18 Crowdstrike, Inc. Hypervisor-Based Interception of Memory and Register Accesses
US11188651B2 (en) * 2016-03-07 2021-11-30 Crowdstrike, Inc. Hypervisor-based interception of memory accesses
US10320820B2 (en) 2016-03-24 2019-06-11 Carbon Black, Inc. Systems and techniques for guiding a response to a cybersecurity incident
US10243972B2 (en) * 2016-04-11 2019-03-26 Crowdstrike, Inc. Correlation-based detection of exploit activity
US10044744B1 (en) 2016-04-26 2018-08-07 EMC IP Holding Company LLC Covert storage channel communication between computer security agent and security system
US10681059B2 (en) 2016-05-25 2020-06-09 CyberOwl Limited Relating to the monitoring of network security
CA3027728A1 (en) * 2016-06-16 2017-12-21 Virsec Systems, Inc. Systems and methods for remediating memory corruption in a computer application
US10191789B2 (en) * 2016-08-18 2019-01-29 Crowdstrike, Inc. Tracing system operations across remote procedure linkages to identify request originators
CN106452881B (en) * 2016-10-21 2019-12-20 用友网络科技股份有限公司 Operation and maintenance data processing system based on cloud adding mode
US10685111B2 (en) 2016-10-31 2020-06-16 Crowdstrike, Inc. File-modifying malware detection
US10515226B2 (en) * 2016-11-21 2019-12-24 Dell Products, L.P. Systems and methods for protected local backup
US11616812B2 (en) 2016-12-19 2023-03-28 Attivo Networks Inc. Deceiving attackers accessing active directory data
US11695800B2 (en) 2016-12-19 2023-07-04 SentinelOne, Inc. Deceiving attackers accessing network data
US10320818B2 (en) * 2017-02-14 2019-06-11 Symantec Corporation Systems and methods for detecting malicious computing events
US11436317B2 (en) * 2017-02-21 2022-09-06 Raptor Engineering LLC Systems and methods for assuring integrity of operating system and software components at runtime
US10387228B2 (en) 2017-02-21 2019-08-20 Crowdstrike, Inc. Symmetric bridge component for communications between kernel mode and user mode
US11238185B2 (en) * 2017-03-07 2022-02-01 Sennco Solutions, Inc. Integrated, persistent security monitoring of electronic merchandise
US10503545B2 (en) * 2017-04-12 2019-12-10 At&T Intellectual Property I, L.P. Universal security agent
US10635806B2 (en) * 2017-05-04 2020-04-28 Crowdstrike, Inc. Least recently used (LRU)-based event suppression
US11082444B2 (en) 2017-05-30 2021-08-03 Cyemptive Technologies, Inc. Real-time detection of and protection from malware and steganography in a kernel mode
JP2019008503A (en) * 2017-06-23 2019-01-17 杉中 順子 Information processing monitoring apparatus, information processing monitoring method, program, recording medium, and information processing apparatus
US10659432B2 (en) 2017-07-06 2020-05-19 Crowdstrike, Inc. Network containment of compromised machines
JP6656211B2 (en) * 2017-08-02 2020-03-04 三菱電機株式会社 Information processing apparatus, information processing method, and information processing program
JP2020530922A (en) * 2017-08-08 2020-10-29 センチネル ラボ, インコーポレイテッドSentinel Labs, Inc. How to dynamically model and group edge networking endpoints, systems, and devices
US10885213B2 (en) 2017-09-12 2021-01-05 Sophos Limited Secure firewall configurations
US11163880B2 (en) * 2017-09-29 2021-11-02 Crowdstrike, Inc. Using indirection to facilitate software upgrades
US10990664B2 (en) 2017-11-20 2021-04-27 International Business Machines Corporation Eliminating and reporting kernel instruction alteration
US10740459B2 (en) 2017-12-28 2020-08-11 Crowdstrike, Inc. Kernel- and user-level cooperative security processing
US11423186B2 (en) 2018-01-17 2022-08-23 Crowdstrike, Inc. Verified inter-module communications interface
EP3514717B1 (en) 2018-01-17 2021-03-31 Crowdstrike, Inc. Device driver non-volatile backing-store installation
US11113425B2 (en) 2018-01-17 2021-09-07 Crowd Strike, Inc. Security component for devices on an enumerated bus
US11470115B2 (en) 2018-02-09 2022-10-11 Attivo Networks, Inc. Implementing decoys in a network environment
CN108429746B (en) * 2018-03-06 2020-01-03 华中科技大学 Privacy data protection method and system for cloud tenants
US10762202B2 (en) 2018-04-11 2020-09-01 Crowdstrike, Inc. Securely and efficiently providing user notifications about security actions
US10333977B1 (en) * 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US11916953B2 (en) * 2018-09-24 2024-02-27 Cybereason, Inc. Method and mechanism for detection of pass-the-hash attacks
US10983849B2 (en) 2019-02-28 2021-04-20 Crowdstrike, Inc. Container application for android-based devices
JP7278423B2 (en) 2019-05-20 2023-05-19 センチネル ラブス イスラエル リミテッド System and method for executable code detection, automatic feature extraction and position independent code detection
US11636204B2 (en) * 2019-10-01 2023-04-25 Acronis International Gmbh Systems and methods for countering removal of digital forensics information by malicious software
US20230153427A1 (en) * 2020-03-26 2023-05-18 Groupe Elucidia Inc. System and method for automated sensitive information discovery, monitoring and remediation
US11563756B2 (en) 2020-04-15 2023-01-24 Crowdstrike, Inc. Distributed digital security system
US11645397B2 (en) 2020-04-15 2023-05-09 Crowd Strike, Inc. Distributed digital security system
US11861019B2 (en) 2020-04-15 2024-01-02 Crowdstrike, Inc. Distributed digital security system
US11711379B2 (en) 2020-04-15 2023-07-25 Crowdstrike, Inc. Distributed digital security system
US11616790B2 (en) 2020-04-15 2023-03-28 Crowdstrike, Inc. Distributed digital security system
US11636214B2 (en) * 2020-12-11 2023-04-25 Hewlett Packard Enterprise Development Lp Memory scan-based process monitoring
US11579857B2 (en) 2020-12-16 2023-02-14 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US11836137B2 (en) 2021-05-19 2023-12-05 Crowdstrike, Inc. Real-time streaming graph queries
US11899782B1 (en) 2021-07-13 2024-02-13 SentinelOne, Inc. Preserving DLL hooks
US20230068691A1 (en) * 2021-08-31 2023-03-02 EMC IP Holding Company LLC System and method for correlating filesystem events into meaningful behaviors
CN113779583B (en) * 2021-11-10 2022-02-22 北京微步在线科技有限公司 Behavior detection method and device, storage medium and electronic equipment
US20230421587A1 (en) 2022-06-24 2023-12-28 Crowdstrike, Inc. Distributed Digital Security System for Predicting Malicious Behavior

Citations (129)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5355498A (en) 1992-02-25 1994-10-11 Sun Microsystems, Inc. Method and apparatus for booting a computer system without loading a device driver into memory
EP0648353A1 (en) 1992-07-01 1995-04-19 Telefonaktiebolaget Lm Ericsson System for changing software during computer operation
US6009274A (en) 1996-12-13 1999-12-28 3Com Corporation Method and apparatus for automatically updating software components on end systems over a network
US6052723A (en) 1996-07-25 2000-04-18 Stockmaster.Com, Inc. Method for aggregate control on an electronic network
US6088804A (en) 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US20010044904A1 (en) 1999-09-29 2001-11-22 Berg Ryan J. Secure remote kernel communication
US20020023211A1 (en) 2000-06-09 2002-02-21 Steven Roth Dynamic kernel tunables
US6463584B1 (en) 1998-03-12 2002-10-08 Telefonaktiebolaget Lm Ericsson State copying method for software update
JP2003084983A (en) 2001-09-11 2003-03-20 Toshiba Corp Software distributor, software distribution system and method
US20030112781A1 (en) 2001-12-17 2003-06-19 Kermode Roger George Communications unit for secure communications
US20040107416A1 (en) 2002-12-02 2004-06-03 Microsoft Corporation Patching of in-use functions on a running computer system
US20040153724A1 (en) 2003-01-30 2004-08-05 Microsoft Corporation Operating system update and boot failure recovery
US20050159998A1 (en) 2004-01-21 2005-07-21 Orkut Buyukkokten Methods and systems for rating associated members in a social network
WO2006023685A1 (en) 2004-08-20 2006-03-02 Ntt Docomo, Inc. Method and apparatus for dynamic replacement of device drivers in the operating system kernel
JP2006065835A (en) 2004-07-28 2006-03-09 Ntt Data Corp Controller for countermeasure against unauthorized access and control program for countermeasure against unauthorized access
JP2006134307A (en) 2004-11-08 2006-05-25 Microsoft Corp System and method for aggregating knowledge base of antivirus software applications
US20060156380A1 (en) 2005-01-07 2006-07-13 Gladstone Philip J S Methods and apparatus providing security to computer systems and networks
US20060174323A1 (en) 2005-01-25 2006-08-03 Brown Mark D Securing computer network interactions between entities with authorization assurances
US7093116B2 (en) 2003-04-28 2006-08-15 Intel Corporation Methods and apparatus to operate in multiple phases of a basic input/output system (BIOS)
US7099948B2 (en) 2001-02-16 2006-08-29 Swsoft Holdings, Ltd. Virtual computing environment
US20070022287A1 (en) 2005-07-15 2007-01-25 Microsoft Corporation Detecting user-mode rootkits
US20070094496A1 (en) 2005-10-25 2007-04-26 Michael Burtscher System and method for kernel-level pestware management
US20070143850A1 (en) 2005-12-16 2007-06-21 Kraemer Jeffrey A Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US20070153993A1 (en) 2004-02-02 2007-07-05 Mobile Reach Media Inc. Monitoring method and system
US7281268B2 (en) 1999-11-14 2007-10-09 Mcafee, Inc. System, method and computer program product for detection of unwanted processes
US20070250817A1 (en) 2006-04-20 2007-10-25 Boney Matthew L Backwards researching activity indicative of pestware
US20080034429A1 (en) 2006-08-07 2008-02-07 Schneider Jerome L Malware management through kernel detection
JP2008047123A (en) 2006-08-11 2008-02-28 Beijing Kingsoft Software Co Ltd Real-time computer virus infection prevention device and update method thereof
JP2008507757A (en) 2004-07-20 2008-03-13 リフレクテント ソフトウェア, インコーポレイテッド End user risk management
JP2008084304A (en) 2006-09-01 2008-04-10 Ricoh Co Ltd Image forming apparatus, program updating method and program
US7366891B2 (en) 2004-12-30 2008-04-29 Intel Corporation Methods and apparatus to provide dual-mode drivers in processor systems
US20080126806A1 (en) 2006-09-21 2008-05-29 Widevine Technologies, Inc. Pre-binding and tight binding of an on-line identity to a digital signature
US20080162589A1 (en) 2006-12-29 2008-07-03 Microsoft Corporation Weakly-consistent distributed collection compromised replica recovery
US20080189796A1 (en) 2007-02-07 2008-08-07 Linn Christopher S Method and apparatus for deferred security analysis
US20080209505A1 (en) 2006-08-14 2008-08-28 Quantum Secure, Inc. Policy-based physical security system for restricting access to computer resources and data flow through network equipment
US20080253287A1 (en) 2007-04-04 2008-10-16 Binita Gupta Methods and Apparatus for Flow Data Acquisition in a Multi-Frequency Network
US7441113B2 (en) 2006-07-10 2008-10-21 Devicevm, Inc. Method and apparatus for virtualization of appliances
US7448049B1 (en) 2002-10-18 2008-11-04 Crossroads Systems, Inc. System and method of supporting kernel functionality
US20080282198A1 (en) 2007-05-07 2008-11-13 Brooks David A Method and sytem for providing collaborative tag sets to assist in the use and navigation of a folksonomy
US20080301669A1 (en) 2007-05-30 2008-12-04 Google Inc. Dynamically Self-Updating by a Software Application on a Device
US7478237B2 (en) 2004-11-08 2009-01-13 Microsoft Corporation System and method of allowing user mode applications with access to file data
JP2009015428A (en) 2007-07-02 2009-01-22 Nippon Telegr & Teleph Corp <Ntt> Program update method, information processor, program, and recording medium
US20090070878A1 (en) 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events
US7512810B1 (en) 2002-09-11 2009-03-31 Guardian Data Storage Llc Method and system for protecting encrypted files transmitted over a network
US20090094039A1 (en) 2007-10-04 2009-04-09 Zhura Corporation Collaborative production of rich media content
US20090119681A1 (en) 2007-11-06 2009-05-07 Bhogal Kulvir S System and Method for Virus Notification Based on Social Groups
US7571448B1 (en) 2004-07-28 2009-08-04 Symantec Corporation Lightweight hooking mechanism for kernel level operations
US20090216806A1 (en) 2008-02-24 2009-08-27 Allofme Ltd. Digital assets internet timeline aggregation and sharing platform
JP2009238153A (en) 2008-03-28 2009-10-15 Nec Corp Malware handling system, method, and program
US20090288165A1 (en) 2008-05-13 2009-11-19 Chaoxin Qiu Methods and apparatus for intrusion protection in systems that monitor for improper network usage
US20090307142A1 (en) 2008-06-06 2009-12-10 Upendra Mardikar Trusted service manager (tsm) architectures and methods
US20100074446A1 (en) 2008-09-22 2010-03-25 Motorola, Inc. Method of automatically populating a list of managed secure communications group members
JP2010517164A (en) 2007-01-25 2010-05-20 マイクロソフト コーポレーション Protect operating system resources
US20100169973A1 (en) 2008-12-30 2010-07-01 Ki Hong Kim System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions
US7765410B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation System and method of aggregating the knowledge base of antivirus software applications
US7765400B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation Aggregation of the knowledge base of antivirus software
KR20100085424A (en) 2009-01-20 2010-07-29 성균관대학교산학협력단 Group key distribution method and server and client for implementing the same
US20100212012A1 (en) 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
JP2010182019A (en) 2009-02-04 2010-08-19 Kddi Corp Abnormality detector and program
US20100235879A1 (en) 2007-06-08 2010-09-16 Matthew Burnside Systems, methods, and media for enforcing a security policy in a network including a plurality of components
US20100235622A1 (en) 2009-03-13 2010-09-16 Assa Abloy Ab Transfer device for sensitive material such as a cryptographic key
US20100312890A1 (en) 2008-02-11 2010-12-09 Dolby Laboratories Licensing Corporation Dynamic dns system for private networks
US20110010522A1 (en) 2009-06-12 2011-01-13 Cray Inc. Multiprocessor communication protocol bridge between scalar and vector compute nodes
US20110029772A1 (en) 2004-12-03 2011-02-03 Whitecell Software Inc. Cloud-based application whitelisting
US7890664B1 (en) 2008-03-31 2011-02-15 Emc Corporation Methods and apparatus for non-disruptive upgrade by redirecting I/O operations
US7908656B1 (en) 2007-04-23 2011-03-15 Network Appliance, Inc. Customized data generating data storage system filter for data security
KR101038048B1 (en) 2009-12-21 2011-06-01 한국인터넷진흥원 Botnet malicious behavior real-time analyzing system
US20110145598A1 (en) 2009-12-16 2011-06-16 Smith Ned M Providing Integrity Verification And Attestation In A Hidden Execution Environment
US20110209219A1 (en) 2010-02-25 2011-08-25 Microsoft Corporation Protecting User Mode Processes From Improper Tampering or Termination
US20110239306A1 (en) 2008-08-27 2011-09-29 Applied Neural Technologies Limited Data leak protection application
US20120005542A1 (en) 2010-07-01 2012-01-05 LogRhythm Inc. Log collection, structuring and processing
US20120079594A1 (en) 2010-09-27 2012-03-29 Hyun Cheol Jeong Malware auto-analysis system and method using kernel callback mechanism
US20120084799A1 (en) 2007-08-17 2012-04-05 Mcafee, Inc., A Delaware Corporation System, method, and computer program product for terminating a hidden kernel process
US20120167161A1 (en) 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Apparatus and method for controlling security condition of global network
US8220041B2 (en) 2007-12-13 2012-07-10 Trend Micro Incorporated Method and system for protecting a computer system during boot operation
US8234693B2 (en) 2008-12-05 2012-07-31 Raytheon Company Secure document management
US8239947B1 (en) 2006-02-06 2012-08-07 Symantec Corporation Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system
WO2012107557A1 (en) 2011-02-10 2012-08-16 Telefonica, S.A. Method and system for improving security threats detection in communication networks
US20120246297A1 (en) 2011-03-25 2012-09-27 Vijaya Shanker Agent based monitoring for saas it service management
US20120255012A1 (en) 2011-03-29 2012-10-04 Mcafee, Inc. System and method for below-operating system regulation and control of self-modifying code
WO2012135192A2 (en) 2011-03-28 2012-10-04 Mcafee, Inc. System and method for virtual machine monitor based anti-malware security
US20120255002A1 (en) 2011-03-31 2012-10-04 Mcafee, Inc. System and method for below-operating system trapping of driver loading and unloading
JP2013502005A (en) 2009-08-10 2013-01-17 シマンテック コーポレーション System and method for updating software products
US8407279B2 (en) 2010-07-26 2013-03-26 Pantech Co., Ltd. Portable terminal and method for providing social network service using human body communication
US8407698B2 (en) 2008-01-25 2013-03-26 Citrix Systems, Inc. Driver installation and diskless booting of virtual and physical machines based on machine characteristic
US8413261B2 (en) 2008-05-30 2013-04-02 Red Hat, Inc. Sharing private data publicly and anonymously
US8429429B1 (en) 2009-10-23 2013-04-23 Secure Vector, Inc. Computer security system and method
US20130145465A1 (en) 2011-12-06 2013-06-06 At&T Intellectual Property I, L.P. Multilayered deception for intrusion detection and prevention
US8510570B2 (en) 2006-07-18 2013-08-13 Certicom Corp. System and method for authenticating a gaming device
US8533830B1 (en) 2009-03-31 2013-09-10 Mcafee, Inc. System, method, and computer program product for mounting an image of a computer system in a pre-boot environment for validating the computer system
US8539584B2 (en) 2010-08-30 2013-09-17 International Business Machines Corporation Rootkit monitoring agent built into an operating system kernel
US8549648B2 (en) 2011-03-29 2013-10-01 Mcafee, Inc. Systems and methods for identifying hidden processes
US8572247B2 (en) 1998-10-30 2013-10-29 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US8572733B1 (en) 2005-07-06 2013-10-29 Raytheon Company System and method for active data collection in a network security system
US20130291112A1 (en) 2012-04-27 2013-10-31 Ut-Batelle, Llc Architecture for removable media usb-arm
US8577616B2 (en) 2003-12-16 2013-11-05 Aerulean Plant Identification Systems, Inc. System and method for plant identification
US8578477B1 (en) 2007-03-28 2013-11-05 Trend Micro Incorporated Secure computer system integrity check
WO2013164821A2 (en) 2012-05-03 2013-11-07 Shine Security Ltd. Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
US20130305340A1 (en) 2012-05-14 2013-11-14 Cisco Technology, Inc. Integrity monitoring to detect changes at network device for use in secure network access
US20130312095A1 (en) 2012-05-21 2013-11-21 Mcafee, Inc. Identifying rootkits based on access permissions
US20130312099A1 (en) 2012-05-21 2013-11-21 Mcafee, Inc. Realtime Kernel Object Table and Type Protection
US8607340B2 (en) * 2009-07-21 2013-12-10 Sophos Limited Host intrusion prevention system using software and user behavior analysis
WO2013184281A1 (en) 2012-06-08 2013-12-12 Crowdstrike, Inc. Kernel-level security agent
US20140007190A1 (en) 2012-06-29 2014-01-02 Crowdstrike, Inc. Social Sharing of Security Information in a Group
US8631488B2 (en) 2008-08-04 2014-01-14 Cupp Computing As Systems and methods for providing security services during power management mode
US8762298B1 (en) 2011-01-05 2014-06-24 Narus, Inc. Machine learning based botnet detection using real-time connectivity graph based traffic features
US8776227B1 (en) 2010-10-21 2014-07-08 Symantec Corporation User interface based malware detection
US8776218B2 (en) * 2009-07-21 2014-07-08 Sophos Limited Behavioral-based host intrusion prevention system
US8789034B1 (en) 2011-12-31 2014-07-22 Parallels IP Holdings GmbH Method for updating operating system without memory reset
US20140317405A1 (en) 2013-04-22 2014-10-23 Unisys Corporation Secured communications arrangement applying internet protocol security
US20150007331A1 (en) 2013-06-26 2015-01-01 Microsoft Corporation Providing user-specific malware assessment based on social interactions
US20150007316A1 (en) 2013-06-28 2015-01-01 Omer Ben-Shalom Rootkit detection by using hw resources to detect inconsistencies in network traffic
US20150101044A1 (en) 2013-10-08 2015-04-09 Crowdstrike, Inc. Event Model for Correlating System Component States
US20150128206A1 (en) 2013-11-04 2015-05-07 Trusteer Ltd. Early Filtering of Events Using a Kernel-Based Filter
US9038176B2 (en) 2011-03-31 2015-05-19 Mcafee, Inc. System and method for below-operating system trapping and securing loading of code into memory
US20150178071A1 (en) 2013-12-19 2015-06-25 Novell, Inc. Runtime patching of an operating system (os) without stopping execution
US20150256552A1 (en) 2014-03-04 2015-09-10 Electronics And Telecommunications Research Institute Imalicious code detection apparatus and method
US20150268947A1 (en) 2014-03-20 2015-09-24 Crowdstrike, Inc. Integrity Assurance and Rebootless Updating During Runtime
US9158914B2 (en) 2013-04-19 2015-10-13 Crowdstrike, Inc. Executable component injection utilizing hotpatch mechanisms
US20150356301A1 (en) 2014-06-06 2015-12-10 Crowdstrike, Inc. Real-Time Model of States of Monitored Devices
US20170061127A1 (en) 2015-07-28 2017-03-02 Crowdstrike, Inc. Integrity Assurance Through Early Loading in the Boot Phase
US9606809B2 (en) 2012-03-27 2017-03-28 Yin Sheng Zhang Computer with flexible operating system
US20170279614A1 (en) 2016-03-25 2017-09-28 Pearson Education, Inc. Generation, management, and tracking of digital credentials
US20180239657A1 (en) 2017-02-21 2018-08-23 Crowdstrike, Inc. Symmetric bridge component for communications between kernel mode and user mode
US10339322B2 (en) * 2017-11-15 2019-07-02 Korea Internet And Security Agency Method and apparatus for identifying security vulnerability in binary and location of cause of security vulnerability
US20190205533A1 (en) 2017-12-28 2019-07-04 Crowdstrike, Inc. Kernel- and User-Level Cooperative Security Processing
US10476904B2 (en) * 2016-08-26 2019-11-12 Fujitsu Limited Non-transitory recording medium recording cyber-attack analysis supporting program, cyber-attack analysis supporting method, and cyber-attack analysis supporting apparatus
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US20200026855A1 (en) * 2018-07-22 2020-01-23 Minerva Labs Ltd. Systems and methods for protecting a computing device against malicious code

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8572740B2 (en) * 2009-10-01 2013-10-29 Kaspersky Lab, Zao Method and system for detection of previously unknown malware
US8528091B2 (en) * 2009-12-31 2013-09-03 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for detecting covert malware

Patent Citations (149)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5355498A (en) 1992-02-25 1994-10-11 Sun Microsystems, Inc. Method and apparatus for booting a computer system without loading a device driver into memory
EP0648353A1 (en) 1992-07-01 1995-04-19 Telefonaktiebolaget Lm Ericsson System for changing software during computer operation
US6052723A (en) 1996-07-25 2000-04-18 Stockmaster.Com, Inc. Method for aggregate control on an electronic network
US6009274A (en) 1996-12-13 1999-12-28 3Com Corporation Method and apparatus for automatically updating software components on end systems over a network
US6088804A (en) 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6463584B1 (en) 1998-03-12 2002-10-08 Telefonaktiebolaget Lm Ericsson State copying method for software update
US8572247B2 (en) 1998-10-30 2013-10-29 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US20010044904A1 (en) 1999-09-29 2001-11-22 Berg Ryan J. Secure remote kernel communication
US7281268B2 (en) 1999-11-14 2007-10-09 Mcafee, Inc. System, method and computer program product for detection of unwanted processes
US20020023211A1 (en) 2000-06-09 2002-02-21 Steven Roth Dynamic kernel tunables
US7099948B2 (en) 2001-02-16 2006-08-29 Swsoft Holdings, Ltd. Virtual computing environment
JP2003084983A (en) 2001-09-11 2003-03-20 Toshiba Corp Software distributor, software distribution system and method
US20030112781A1 (en) 2001-12-17 2003-06-19 Kermode Roger George Communications unit for secure communications
US7512810B1 (en) 2002-09-11 2009-03-31 Guardian Data Storage Llc Method and system for protecting encrypted files transmitted over a network
US7448049B1 (en) 2002-10-18 2008-11-04 Crossroads Systems, Inc. System and method of supporting kernel functionality
US20040107416A1 (en) 2002-12-02 2004-06-03 Microsoft Corporation Patching of in-use functions on a running computer system
US20040153724A1 (en) 2003-01-30 2004-08-05 Microsoft Corporation Operating system update and boot failure recovery
US7093116B2 (en) 2003-04-28 2006-08-15 Intel Corporation Methods and apparatus to operate in multiple phases of a basic input/output system (BIOS)
US8577616B2 (en) 2003-12-16 2013-11-05 Aerulean Plant Identification Systems, Inc. System and method for plant identification
US20050159998A1 (en) 2004-01-21 2005-07-21 Orkut Buyukkokten Methods and systems for rating associated members in a social network
US20070153993A1 (en) 2004-02-02 2007-07-05 Mobile Reach Media Inc. Monitoring method and system
JP2008507757A (en) 2004-07-20 2008-03-13 リフレクテント ソフトウェア, インコーポレイテッド End user risk management
US7571448B1 (en) 2004-07-28 2009-08-04 Symantec Corporation Lightweight hooking mechanism for kernel level operations
JP2006065835A (en) 2004-07-28 2006-03-09 Ntt Data Corp Controller for countermeasure against unauthorized access and control program for countermeasure against unauthorized access
WO2006023685A1 (en) 2004-08-20 2006-03-02 Ntt Docomo, Inc. Method and apparatus for dynamic replacement of device drivers in the operating system kernel
US7765400B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation Aggregation of the knowledge base of antivirus software
US7765410B2 (en) 2004-11-08 2010-07-27 Microsoft Corporation System and method of aggregating the knowledge base of antivirus software applications
JP2006134307A (en) 2004-11-08 2006-05-25 Microsoft Corp System and method for aggregating knowledge base of antivirus software applications
US7478237B2 (en) 2004-11-08 2009-01-13 Microsoft Corporation System and method of allowing user mode applications with access to file data
US20110029772A1 (en) 2004-12-03 2011-02-03 Whitecell Software Inc. Cloud-based application whitelisting
US7366891B2 (en) 2004-12-30 2008-04-29 Intel Corporation Methods and apparatus to provide dual-mode drivers in processor systems
US20060156380A1 (en) 2005-01-07 2006-07-13 Gladstone Philip J S Methods and apparatus providing security to computer systems and networks
US20060174323A1 (en) 2005-01-25 2006-08-03 Brown Mark D Securing computer network interactions between entities with authorization assurances
US8572733B1 (en) 2005-07-06 2013-10-29 Raytheon Company System and method for active data collection in a network security system
US20070022287A1 (en) 2005-07-15 2007-01-25 Microsoft Corporation Detecting user-mode rootkits
US20110099632A1 (en) 2005-07-15 2011-04-28 Microsoft Corporation Detecting user-mode rootkits
US20070094496A1 (en) 2005-10-25 2007-04-26 Michael Burtscher System and method for kernel-level pestware management
US20070143850A1 (en) 2005-12-16 2007-06-21 Kraemer Jeffrey A Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US8239947B1 (en) 2006-02-06 2012-08-07 Symantec Corporation Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system
US20070250817A1 (en) 2006-04-20 2007-10-25 Boney Matthew L Backwards researching activity indicative of pestware
US7441113B2 (en) 2006-07-10 2008-10-21 Devicevm, Inc. Method and apparatus for virtualization of appliances
US8086836B2 (en) 2006-07-10 2011-12-27 Splashtop Inc. Method and apparatus for virtualization of appliances
US8510570B2 (en) 2006-07-18 2013-08-13 Certicom Corp. System and method for authenticating a gaming device
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US20080034429A1 (en) 2006-08-07 2008-02-07 Schneider Jerome L Malware management through kernel detection
JP2008047123A (en) 2006-08-11 2008-02-28 Beijing Kingsoft Software Co Ltd Real-time computer virus infection prevention device and update method thereof
US20080209505A1 (en) 2006-08-14 2008-08-28 Quantum Secure, Inc. Policy-based physical security system for restricting access to computer resources and data flow through network equipment
JP2008084304A (en) 2006-09-01 2008-04-10 Ricoh Co Ltd Image forming apparatus, program updating method and program
US8321677B2 (en) 2006-09-21 2012-11-27 Google Inc. Pre-binding and tight binding of an on-line identity to a digital signature
US20080126806A1 (en) 2006-09-21 2008-05-29 Widevine Technologies, Inc. Pre-binding and tight binding of an on-line identity to a digital signature
US20080162589A1 (en) 2006-12-29 2008-07-03 Microsoft Corporation Weakly-consistent distributed collection compromised replica recovery
JP2010517164A (en) 2007-01-25 2010-05-20 マイクロソフト コーポレーション Protect operating system resources
US20080189796A1 (en) 2007-02-07 2008-08-07 Linn Christopher S Method and apparatus for deferred security analysis
US8578477B1 (en) 2007-03-28 2013-11-05 Trend Micro Incorporated Secure computer system integrity check
US20080253287A1 (en) 2007-04-04 2008-10-16 Binita Gupta Methods and Apparatus for Flow Data Acquisition in a Multi-Frequency Network
US7908656B1 (en) 2007-04-23 2011-03-15 Network Appliance, Inc. Customized data generating data storage system filter for data security
US20080282198A1 (en) 2007-05-07 2008-11-13 Brooks David A Method and sytem for providing collaborative tag sets to assist in the use and navigation of a folksonomy
US20080301669A1 (en) 2007-05-30 2008-12-04 Google Inc. Dynamically Self-Updating by a Software Application on a Device
US20100235879A1 (en) 2007-06-08 2010-09-16 Matthew Burnside Systems, methods, and media for enforcing a security policy in a network including a plurality of components
JP2009015428A (en) 2007-07-02 2009-01-22 Nippon Telegr & Teleph Corp <Ntt> Program update method, information processor, program, and recording medium
US20120084799A1 (en) 2007-08-17 2012-04-05 Mcafee, Inc., A Delaware Corporation System, method, and computer program product for terminating a hidden kernel process
US20090070878A1 (en) 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events
US8065728B2 (en) 2007-09-10 2011-11-22 Wisconsin Alumni Research Foundation Malware prevention system monitoring kernel events
US20090094039A1 (en) 2007-10-04 2009-04-09 Zhura Corporation Collaborative production of rich media content
US20090119681A1 (en) 2007-11-06 2009-05-07 Bhogal Kulvir S System and Method for Virus Notification Based on Social Groups
US8220041B2 (en) 2007-12-13 2012-07-10 Trend Micro Incorporated Method and system for protecting a computer system during boot operation
US8407698B2 (en) 2008-01-25 2013-03-26 Citrix Systems, Inc. Driver installation and diskless booting of virtual and physical machines based on machine characteristic
US20100312890A1 (en) 2008-02-11 2010-12-09 Dolby Laboratories Licensing Corporation Dynamic dns system for private networks
US20090216806A1 (en) 2008-02-24 2009-08-27 Allofme Ltd. Digital assets internet timeline aggregation and sharing platform
JP2009238153A (en) 2008-03-28 2009-10-15 Nec Corp Malware handling system, method, and program
US7890664B1 (en) 2008-03-31 2011-02-15 Emc Corporation Methods and apparatus for non-disruptive upgrade by redirecting I/O operations
US20090288165A1 (en) 2008-05-13 2009-11-19 Chaoxin Qiu Methods and apparatus for intrusion protection in systems that monitor for improper network usage
US8413261B2 (en) 2008-05-30 2013-04-02 Red Hat, Inc. Sharing private data publicly and anonymously
US20090307142A1 (en) 2008-06-06 2009-12-10 Upendra Mardikar Trusted service manager (tsm) architectures and methods
US8631488B2 (en) 2008-08-04 2014-01-14 Cupp Computing As Systems and methods for providing security services during power management mode
US20110239306A1 (en) 2008-08-27 2011-09-29 Applied Neural Technologies Limited Data leak protection application
US20100074446A1 (en) 2008-09-22 2010-03-25 Motorola, Inc. Method of automatically populating a list of managed secure communications group members
US20100212012A1 (en) 2008-11-19 2010-08-19 Yoggie Security Systems Ltd. Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device
US8234693B2 (en) 2008-12-05 2012-07-31 Raytheon Company Secure document management
US20100169973A1 (en) 2008-12-30 2010-07-01 Ki Hong Kim System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions
KR20100085424A (en) 2009-01-20 2010-07-29 성균관대학교산학협력단 Group key distribution method and server and client for implementing the same
JP2010182019A (en) 2009-02-04 2010-08-19 Kddi Corp Abnormality detector and program
US20100235622A1 (en) 2009-03-13 2010-09-16 Assa Abloy Ab Transfer device for sensitive material such as a cryptographic key
US8533830B1 (en) 2009-03-31 2013-09-10 Mcafee, Inc. System, method, and computer program product for mounting an image of a computer system in a pre-boot environment for validating the computer system
US20110010522A1 (en) 2009-06-12 2011-01-13 Cray Inc. Multiprocessor communication protocol bridge between scalar and vector compute nodes
US8607340B2 (en) * 2009-07-21 2013-12-10 Sophos Limited Host intrusion prevention system using software and user behavior analysis
US8776218B2 (en) * 2009-07-21 2014-07-08 Sophos Limited Behavioral-based host intrusion prevention system
JP2013502005A (en) 2009-08-10 2013-01-17 シマンテック コーポレーション System and method for updating software products
US8429429B1 (en) 2009-10-23 2013-04-23 Secure Vector, Inc. Computer security system and method
US20110145598A1 (en) 2009-12-16 2011-06-16 Smith Ned M Providing Integrity Verification And Attestation In A Hidden Execution Environment
KR101038048B1 (en) 2009-12-21 2011-06-01 한국인터넷진흥원 Botnet malicious behavior real-time analyzing system
US20110209219A1 (en) 2010-02-25 2011-08-25 Microsoft Corporation Protecting User Mode Processes From Improper Tampering or Termination
US20120005542A1 (en) 2010-07-01 2012-01-05 LogRhythm Inc. Log collection, structuring and processing
US8407279B2 (en) 2010-07-26 2013-03-26 Pantech Co., Ltd. Portable terminal and method for providing social network service using human body communication
US8539584B2 (en) 2010-08-30 2013-09-17 International Business Machines Corporation Rootkit monitoring agent built into an operating system kernel
US20120079594A1 (en) 2010-09-27 2012-03-29 Hyun Cheol Jeong Malware auto-analysis system and method using kernel callback mechanism
US8776227B1 (en) 2010-10-21 2014-07-08 Symantec Corporation User interface based malware detection
US20120167161A1 (en) 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Apparatus and method for controlling security condition of global network
US8762298B1 (en) 2011-01-05 2014-06-24 Narus, Inc. Machine learning based botnet detection using real-time connectivity graph based traffic features
WO2012107557A1 (en) 2011-02-10 2012-08-16 Telefonica, S.A. Method and system for improving security threats detection in communication networks
US20120246297A1 (en) 2011-03-25 2012-09-27 Vijaya Shanker Agent based monitoring for saas it service management
WO2012135192A2 (en) 2011-03-28 2012-10-04 Mcafee, Inc. System and method for virtual machine monitor based anti-malware security
US20120255012A1 (en) 2011-03-29 2012-10-04 Mcafee, Inc. System and method for below-operating system regulation and control of self-modifying code
US8549648B2 (en) 2011-03-29 2013-10-01 Mcafee, Inc. Systems and methods for identifying hidden processes
US9038176B2 (en) 2011-03-31 2015-05-19 Mcafee, Inc. System and method for below-operating system trapping and securing loading of code into memory
US20120255002A1 (en) 2011-03-31 2012-10-04 Mcafee, Inc. System and method for below-operating system trapping of driver loading and unloading
US20130145465A1 (en) 2011-12-06 2013-06-06 At&T Intellectual Property I, L.P. Multilayered deception for intrusion detection and prevention
US8789034B1 (en) 2011-12-31 2014-07-22 Parallels IP Holdings GmbH Method for updating operating system without memory reset
US9606809B2 (en) 2012-03-27 2017-03-28 Yin Sheng Zhang Computer with flexible operating system
US20130291112A1 (en) 2012-04-27 2013-10-31 Ut-Batelle, Llc Architecture for removable media usb-arm
WO2013164821A2 (en) 2012-05-03 2013-11-07 Shine Security Ltd. Malicious threat detection, malicious threat prevention, and a learning systems and methods for malicious threat detection and prevention
US20130305340A1 (en) 2012-05-14 2013-11-14 Cisco Technology, Inc. Integrity monitoring to detect changes at network device for use in secure network access
US9317687B2 (en) 2012-05-21 2016-04-19 Mcafee, Inc. Identifying rootkits based on access permissions
US20130312099A1 (en) 2012-05-21 2013-11-21 Mcafee, Inc. Realtime Kernel Object Table and Type Protection
US20130312095A1 (en) 2012-05-21 2013-11-21 Mcafee, Inc. Identifying rootkits based on access permissions
US9043903B2 (en) 2012-06-08 2015-05-26 Crowdstrike, Inc. Kernel-level security agent
US20130333040A1 (en) 2012-06-08 2013-12-12 Crowdstrike, Inc. Kernel-Level Security Agent
US10002250B2 (en) * 2012-06-08 2018-06-19 Crowdstrike, Inc. Security agent
US20170213031A1 (en) 2012-06-08 2017-07-27 Crowdstrike, Inc. Kernel-Level Security Agent
US20170109530A1 (en) 2012-06-08 2017-04-20 Crowdstrike, Inc. Security Agent
US9621515B2 (en) 2012-06-08 2017-04-11 Crowdstrike, Inc. Kernel-level security agent
US20140109226A1 (en) 2012-06-08 2014-04-17 Crowdstrike, Inc. Kernel-Level Security Agent
WO2013184281A1 (en) 2012-06-08 2013-12-12 Crowdstrike, Inc. Kernel-level security agent
US9571453B2 (en) 2012-06-08 2017-02-14 Crowdstrike, Inc. Kernel-level security agent
US20150244679A1 (en) 2012-06-08 2015-08-27 Crowdstrike, Inc. Kernel-Level Security Agent
US9858626B2 (en) 2012-06-29 2018-01-02 Crowdstrike, Inc. Social sharing of security information in a group
US20140007190A1 (en) 2012-06-29 2014-01-02 Crowdstrike, Inc. Social Sharing of Security Information in a Group
US20150326614A1 (en) 2012-06-29 2015-11-12 Crowdstrike, Inc. Social Sharing of Security Information in a Group
US9292881B2 (en) 2012-06-29 2016-03-22 Crowdstrike, Inc. Social sharing of security information in a group
US9158914B2 (en) 2013-04-19 2015-10-13 Crowdstrike, Inc. Executable component injection utilizing hotpatch mechanisms
US20140317405A1 (en) 2013-04-22 2014-10-23 Unisys Corporation Secured communications arrangement applying internet protocol security
US20150007331A1 (en) 2013-06-26 2015-01-01 Microsoft Corporation Providing user-specific malware assessment based on social interactions
US20150007316A1 (en) 2013-06-28 2015-01-01 Omer Ben-Shalom Rootkit detection by using hw resources to detect inconsistencies in network traffic
US20150101044A1 (en) 2013-10-08 2015-04-09 Crowdstrike, Inc. Event Model for Correlating System Component States
US20150128206A1 (en) 2013-11-04 2015-05-07 Trusteer Ltd. Early Filtering of Events Using a Kernel-Based Filter
US20150178071A1 (en) 2013-12-19 2015-06-25 Novell, Inc. Runtime patching of an operating system (os) without stopping execution
US20150256552A1 (en) 2014-03-04 2015-09-10 Electronics And Telecommunications Research Institute Imalicious code detection apparatus and method
US20150268947A1 (en) 2014-03-20 2015-09-24 Crowdstrike, Inc. Integrity Assurance and Rebootless Updating During Runtime
US20160170740A1 (en) 2014-03-20 2016-06-16 Crowdstrike, Inc. Integrity Assurance and Rebootless Updating During Runtime
US20190265968A1 (en) 2014-03-20 2019-08-29 Crowdstrike, Inc. Integrity Assurance and Rebootless Updating During Runtime
US20150356301A1 (en) 2014-06-06 2015-12-10 Crowdstrike, Inc. Real-Time Model of States of Monitored Devices
US20170061127A1 (en) 2015-07-28 2017-03-02 Crowdstrike, Inc. Integrity Assurance Through Early Loading in the Boot Phase
US20170279614A1 (en) 2016-03-25 2017-09-28 Pearson Education, Inc. Generation, management, and tracking of digital credentials
US10476904B2 (en) * 2016-08-26 2019-11-12 Fujitsu Limited Non-transitory recording medium recording cyber-attack analysis supporting program, cyber-attack analysis supporting method, and cyber-attack analysis supporting apparatus
US20180239657A1 (en) 2017-02-21 2018-08-23 Crowdstrike, Inc. Symmetric bridge component for communications between kernel mode and user mode
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US10339322B2 (en) * 2017-11-15 2019-07-02 Korea Internet And Security Agency Method and apparatus for identifying security vulnerability in binary and location of cause of security vulnerability
US20190205533A1 (en) 2017-12-28 2019-07-04 Crowdstrike, Inc. Kernel- and User-Level Cooperative Security Processing
US20200026855A1 (en) * 2018-07-22 2020-01-23 Minerva Labs Ltd. Systems and methods for protecting a computing device against malicious code

Non-Patent Citations (81)

* Cited by examiner, † Cited by third party
Title
Anonymous, "Connect(2)-Linux manual pages", Feb. 2017, retrieved from the Internet: URL:https://web.archive.org/web/20170216051627/https://man7.org/linux/man-pages/man2/connect.2.html, 4 pages.
Anonymous, "Socket(2)-Linux manual page", Feb. 2017, retrieved from the Internet: URL:https://web.archive.org/web/20170216095427/http://man7.org/linux/man-pages/man2/socket.2.html, 5 pages.
Anonymous, "Connect(2)—Linux manual pages", Feb. 2017, retrieved from the Internet: URL:https://web.archive.org/web/20170216051627/https://man7.org/linux/man-pages/man2/connect.2.html, 4 pages.
Anonymous, "Socket(2)—Linux manual page", Feb. 2017, retrieved from the Internet: URL:https://web.archive.org/web/20170216095427/http://man7.org/linux/man-pages/man2/socket.2.html, 5 pages.
Chiueh, et al, "Stealthy Deployment and Execution of In-Guest Kernel Agents", The Black Hat Technical Security Conference USA, 2009, pp. #1-pp. #12.
Final Office Action dated Jan. 18, 2019 for U.S. Appl. No. 15/051,461 "Integrity Assurance and Rebootless Updating During Runtime" Ionescu, 9 pages.
Final Office Action dated Jun. 1, 2020 for U.S. Appl. No. 16/408,180, "Integrity Assurance and Rebootless Updating During Runtime", Ionescu, 9 pages.
Final Office Action for U.S. Appl. No. 13/492,672, dated Oct. 23, 2014, David F. Diehl, "Kernel-Level Security Agent", 15 pages.
Final Office Action for U.S. Appl. No. 13/538,439, dated Dec. 2, 2014, Dmitri Alperovitch, "Social Sharing of Security Information in a Group", 13 pages.
Final Office Action for U.S. Appl. No. 13/728,746, dated Dec. 3, 2014, David F. Diehl, "Real-Time Representation of Security-Relevant System State", 22 pages.
Graf, "Netlink Library (libnl)", retrieved on Jun. 5, 2018 at <<https://www.infradead.org/˜tgr/libnl/doc/core.html>>, May 9, 2011, 63 pages.
IDG Communications, "Symantec adds New Protection Features to Its Conusmer and Enterprise Antivirus Solutions", Jan. 19, 2006, 5 pages.
Kaichuan, "Kernel Komer-Why and How to Use Netlink Socket", retrieved on Jun. 5, 2018 at <<https://www.linuxjournal.com/article/7356>>, Jan. 5, 2015, pp. 1-13.
Kaichuan, "Kernel Komer—Why and How to Use Netlink Socket", retrieved on Jun. 5, 2018 at <<https://www.linuxjournal.com/article/7356>>, Jan. 5, 2015, pp. 1-13.
King et al, "Backtracking Intrusions", ACM SOSP, Oct. 2003, vol. 37, Issue 5, 14 pgs.
Messmer, "Are all rootkits evil? Settlement in Sony CD case resurrects old debate.", retrieved on Aug. 11, 2018 from https://www.networld.com/article/2312244/lan-wan/are-all-rootkits-evil.html, May 23, 2006, 4 pages.
Neira-Ayuso, et al., "Communicating between the kernel and user-space in Linux using Netlink sockets", Software-Practice and Experience, vol. 40, No. 9, Aug. 1, 2010, Wiley Interscience, pp. 797-810.
Neira-Ayuso, et al., "Communicating between the kernel and user-space in Linux using Netlink sockets", Software—Practice and Experience, vol. 40, No. 9, Aug. 1, 2010, Wiley Interscience, pp. 797-810.
Non Final Office Action dated Dec. 30, 2019 for U.S. Appl. No. 15/857,007 "Kernel- and User-Level Cooperative Security Processing" Diehl, 10 pages.
Non Final Office Action dated Jan. 24, 2020 for U.S. Appl. No. 16/408,180 "Integrity Assurance and Rebootless Updating During Runtime" Ionescu, 8 pages.
Office Action for U.S. Appl. No. 13/492,672, dated Apr. 7, 2014, David F. Diehl, "Kernel-Level Security Agent", 8 pages.
Office Action for U.S. Appl. No. 13/538,439, dated Apr. 23, 2015, Dmitri Alperovitch, "Social Sharing of Security Information in a Group", 6 pages.
Office action for U.S. Appl. No. 13/538,439, dated Jun. 30, 2014, Alperovitch et al., "Social Sharing of Security Information in a Group", 13 pages.
Office Action for U.S. Appl. No. 13/728,746, dated Apr. 14, 2014, David F. Diehl, "Real-Time Representation of Security-Relevant System State", 17 pages.
Office Action for U.S. Appl. No. 14/140,323, dated Jul. 31, 2015, David F. Diehl, "Kernel-Level Security Agent", 9 pages.
Office action for U.S. Appl. No. 14/140,323, dated May 11, 2016, Diehl et al., "Kernel-Level Security Agent", 15 pages.
Office Action for U.S. Appl. No. 14/220,362, dated Aug. 23, 2018, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 14 pages.
Office action for U.S. Appl. No. 14/220,362, dated Feb. 7, 2017, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 16 pages.
Office action for U.S. Appl. No. 14/220,362, dated May 25, 2016, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 12 pages.
Office action for U.S. Appl. No. 14/220,362, dated Nov. 7, 2017, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 16 pages.
Office action for U.S. Appl. No. 14/220,362, dated Sep. 16, 2016, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 14 pages.
Office action for U.S. Appl. No. 14/709,779, dated Aug. 12, 2016, Diehl et al., "Kernel-Level Security Agent", 7 pages.
Office action for U.S. Appl. No. 14/709,779, dated Feb. 23, 2016, Diehl et al., "Kernel-Level Security Agent", 14 pages.
Office action for U.S. Appl. No. 14/792,177, dated Dec. 16, 2016, Alperovitch et al., "Social Sharing of Security Information in a Group", 12 pages.
Office action for U.S. Appl. No. 14/792,177, dated Jun. 15, 2017, Alperovitch et al., "Social Sharing of Security Information in a Group", 14 pages.
Office action for U.S. Appl. No. 14/792,177, dated Jun. 30, 2016, Alperovitch et al., "Social Sharing of Security Information in a Group", 11 pages.
Office Action for U.S. Appl. No. 14/810,840, dated Apr. 20, 2017, Ionescu, "Integrity Assurance Through Early Loading in the Boot Phase", 12 pages.
Office Action for U.S. Appl. No. 14/810,840, dated Nov. 3, 2017, Ionescu, "Integrity Assurance Through Early Loading in the Boot Phase", 16 pages.
Office Action for U.S. Appl. No. 15/051,461, dated Aug. 16, 2018, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 11 pages.
Office action for U.S. Appl. No. 15/051,461, dated Dec. 8, 2016, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 9 pages.
Office action for U.S. Appl. No. 15/051,461, dated Jun. 1, 2017, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 11 pages.
Office action for U.S. Appl. No. 15/051,461, dated Mar. 15, 2018, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 12 pages.
Office Action for U.S. Appl. No. 15/051,461, dated Nov. 15, 2017, Ionescu, "Integrity Assurance and Rebootless Updating During Runtime", 9 pages.
Office action for U.S. Appl. No. 15/393,797, dated Apr. 18, 2017, Diehl et al., "Security Agent", 15 pages.
Office action for U.S. Appl. No. 15/393,797, dated Oct. 30, 2017, Diehl et al., "Security Agent", 10 pages.
Office Action for U.S. Appl. No. 15/438,553, dated Nov. 1, 2018, Petrbok et al, "Symmetric Bridge Component for Communications Between Kernel Mode and User Mode", 17 pages.
Office Action for U.S. Appl. No. 15/483,153, dated Jun. 29, 2017, Diehl et al., "Kernel-Level Security Agent", 12 pages.
Popenko, S. et al., "Driver to Hide Processes and Files", CodeProject, Aug. 17, 2009.
The Australian Office Action dated Jan. 22, 2018 for Australian Patent Application No. 2013272198, a counterpart foreign application of U.S. Pat. No. 9,043,903, 5 pages.
The Australian Office Action dated Nov. 30, 2017 for Australian patent application No. 2013281175, a counterpart foreign application of U.S. Pat. No. 9,292,881, 4 pages.
The European Office Action dated Aug. 7, 2018, for European patent application No. 13808592.3, a counterpart foreign application of U.S. Pat. No. 9,292,881, 6 pgaes.
The European Office Action dated Feb. 19, 2020 for European Patent Application No. 13808592.3, a counterpart of U.S. Pat. No. 9,292,881, 4 pages.
The European Office Action dated Jul. 5, 2019 for European Patent Application No. 13808592.3, a counterpart of U.S. Pat. No. 9,292,881, 5 pages.
The European Office Action dated Jun. 29, 2020 for European Patent Application No. 18157955.8, a counterpart foreign application of the U.S. Pat. No. 10,387,228, 10 pages.
The European Office Action dated Nov. 22, 2017 for European patent application No. 13800519.4, a counterpart foreign application of U.S. Pat. No. 9,043,903, 7 pgaes.
The European Office Action dated Sep. 11, 2017 for European Patent Application No. 16179598.4, a counterpart foreign application of U.S. Appl. No. 14/810,840, 4 pages.
The Extended European Search Report dated Dec. 6, 2016 for European patent application No. 16179598.4, 7 pages.
The Extended European Search Report dated Jan. 22, 2018 for European Patent Application No. 15764091.3, 11 pages.
The Extended European Search Report dated Jul. 3, 2020 for European Patent Application No. 20150542.7, 12 pages.
The Extended European Search Report dated Jun. 15, 2018 for European Patent Application No. 18157955.8, 10 pages.
The Extended European Search Report dated Jun. 2, 2016 for European patent application No. 13808592.3, 12 pages.
The Extended European Search Report dated Jun. 2, 2020 for European Patent Application No. 20172990.2, 8 pages.
The Israeli Office Action dated Sep. 11, 2017 for Israeli patent application No. 236390, a counterpart foreign application of U.S. Pat. No. 9,292,881, 7 pages.
The Japanese Office Action dated Jan. 29, 2019 for Japanese Patent Application No. 2016-557973, a counterpart of U.S. Appl. No. 14/220,362, 7 pages.
The Japanese Office Action dated Jan. 8, 2019 for Japanese Patent Application No. 2017-177787, a counterpart of U.S. Pat. No. 9,043,903, 7 pages.
The Partial European Search Report dated Apr. 1, 2020 for European Patent Application No. 20150542.7, a counterpart of U.S. Pat. No. 9,043,903, 12 pages.
The Partial Supplementary European Search Report dated Jan. 25, 2016 for European Patent Application No. 13808592.3, 6 pages.
The Partial Supplementary European Search Report dated Oct. 12, 2017 for European Patent Application No. 15764091.3, 13 pages.
The PCT Search Report and Written Opinion dated Apr. 28, 2015 for PCT application No. PCT/US2015/013522, 13 pages.
The PCT Search Report and Written Opinion dated Apr. 29, 2014 for PCT application No. PCT/US13/75856, 13 pages.
The PCT Search Report and Written Opinion dated Jun. 1, 2015 for PCT application No. PCT/US2015/020187, 13 pages.
The PCT Search Report and Written Opinion dated Sep. 17, 2013 for PCT application No. PCT/US2013/040420 , 12 pages.
The PCT Search Report and Written Opinion dated Sep. 26, 2013 for PCT Application No. PCT/US13/40428, 13 pages.
The Supplementary European Search Report dated Nov. 3, 2015 for European Patent Application No. 13800519.4, 7 pages.
The Supplementary Extended European Search Report dated Feb. 16, 2016 for European patent application No. 1380051934, 22 pages.
Translated the Israeli Office Action dated Aug. 30, 2017 for Israeli patent application No. 235905, a counterpart foreign application of U.S. Pat. No. 9,043,903, 5 pages.
Translated the Japanese Office Action dated Apr. 25, 2017 for Japanese Patent Application No. 2015-516024, a counterpart foreign application of U.S. Pat. No. 9,043,903, 22 pages.
Translated the Japanese Office Action dated Feb. 20, 2018 for Japanese Patent Application No. 2015-520185, a counterpart foreign application of U.S. Pat. No. 9,292,881, 9 pages.
Translated the Japanese Office Action dated Mar. 21, 2017 for Japanese patent application No. 2015-520185, a counterpart foreign application of U.S. Pat. No. 9,292,881, 11 pages.
Translated the Singapore Office Action dated Nov. 17, 2015 for Singapore patent application No. 11201408279Q, a counterpart foreign application of U.S. Appl. No. 13/538,439, 6 pages.
Translated the Singapore Office Action dated Sep. 28, 2015 for Singapore patent application No. 11201407292Q, a counterpart foreign application of U.S. Pat. No. 9,043,903, 6 pages.

Also Published As

Publication number Publication date
WO2013184281A1 (en) 2013-12-12
US9904784B2 (en) 2018-02-27
JP2017216018A (en) 2017-12-07
EP2859493B1 (en) 2020-01-08
AU2013272198A1 (en) 2014-11-27
US20130333040A1 (en) 2013-12-12
EP4404508A3 (en) 2024-10-16
EP2859493A1 (en) 2015-04-15
US10002250B2 (en) 2018-06-19
US20150244679A1 (en) 2015-08-27
IL235905A0 (en) 2015-01-29
SG11201407292QA (en) 2014-12-30
JP2015522874A (en) 2015-08-06
IL235905B (en) 2018-02-28
US20140109226A1 (en) 2014-04-17
EP2859493A4 (en) 2016-03-16
US9571453B2 (en) 2017-02-14
US20170213031A1 (en) 2017-07-27
EP4404508A2 (en) 2024-07-24
EP3654218B1 (en) 2024-04-03
CA2872786A1 (en) 2013-12-12
EP3654218A2 (en) 2020-05-20
US20190138723A1 (en) 2019-05-09
US9621515B2 (en) 2017-04-11
IN2014DN09583A (en) 2015-07-17
EP3654218A3 (en) 2020-08-05
BR112014030746A2 (en) 2017-06-27
US9043903B2 (en) 2015-05-26
US20170109530A1 (en) 2017-04-20
JP6212548B2 (en) 2017-10-11

Similar Documents

Publication Publication Date Title
US10853491B2 (en) Security agent
US11368432B2 (en) Network containment of compromised machines
EP3055808B1 (en) Event model for correlating system component states
US9256730B2 (en) Threat detection for return oriented programming
WO2018017498A1 (en) Inferential exploit attempt detection
EP3232358A1 (en) Correlation-based detection of exploit activity
US11599638B2 (en) Game engine-based computer security

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: CROWDSTRIKE, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DIEHL, DAVID F.;ALPEROVITCH, DMITRI;IONESCU, ION-ALEXANDRU;AND OTHERS;SIGNING DATES FROM 20120602 TO 20120606;REEL/FRAME:046848/0059

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT, CALI

Free format text: SECURITY INTEREST;ASSIGNORS:CROWDSTRIKE HOLDINGS, INC.;CROWDSTRIKE, INC.;CROWDSTRIKE SERVICES, INC.;REEL/FRAME:048953/0205

Effective date: 20190419

Owner name: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNORS:CROWDSTRIKE HOLDINGS, INC.;CROWDSTRIKE, INC.;CROWDSTRIKE SERVICES, INC.;REEL/FRAME:048953/0205

Effective date: 20190419

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT, CALIFORNIA

Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:CROWDSTRIKE HOLDINGS, INC.;CROWDSTRIKE, INC.;REEL/FRAME:054899/0848

Effective date: 20210104

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4